This text of Oklahoma § 24-163 (Duty to provide notice of breach.) is published on Counsel Stack Legal Research, covering Oklahoma primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.
A.An individual or entity that owns or licenses computerized data that includes personal information shall provide notice of any breach of the security of the system following determination or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection D of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without
Free access — add to your briefcase to read the full text and ask questions with AI
A. An individual or entity that owns or licenses computerized data that includes personal information shall provide notice of any breach of the security of the system following determination or notification of the breach of the security of the system to any resident of this state whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. Except as provided in subsection D of this section or in order to take any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the system, the disclosure shall be made without unreasonable delay. B. An individual or entity shall provide notice of the breach of the security of the system if encrypted or redacted information is accessed and acquired in an unencrypted or unredacted form or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud to any resident of this state. C. An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall provide notice to the owner or licensee of the information of any breach of the security of the system as soon as practicable following determination, if the personal information was or if the entity reasonably believes it was accessed and acquired by an unauthorized person. D. Notice required by this section may be delayed if a law enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation or homeland or national security. Notice required by this section must be made without unreasonable delay after the law enforcement agency determines that notification will no longer impede the investigation or jeopardize national or homeland security. E. 1. An individual or entity required to provide notice in accordance with subsection A or B of this section shall also provide notice to the Attorney General of such breach without unreasonable delay but in no event more than sixty (60) days after providing notice to impacted residents of this state as required by this section. The notice shall include the date of the breach, the date of its determination, the nature of the breach, the type of personal information exposed, the number of residents of this state affected, the estimated monetary impact of the breach to the extent such impact can be determined, and any reasonable safeguards the entity employs. 2. A breach of a security system where fewer than five hundred (500) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection. 3. A breach of a security system maintained by a credit bureau where fewer than one thousand (1,000) residents of this state are affected within a single breach shall be exempt from the notice requirements of paragraph 1 of this subsection. F. Any personal information submitted to the Attorney General shall be kept confidential pursuant to Section 24A.12 of Title 51 of the Oklahoma Statutes.