[co-author: James O'Reilly]*
North Dakota recently passed a law establishing new rules for certain financial companies operating in the state – specifically “financial corporations.” The new obligations will take effect on August 1, 2025. They will apply to businesses that the North Dakota department of financial institutions regulates. Financial institutions (like banks and loan companies) and credit unions are not regulated by that entity.
Under the new requirements, covered entities must create a written information security program and designate a person to oversee that program. Covered entities must base their information security programs on a written risk assessment that identifies risks to their customers’ information. The program includes breach response and reporting provisions for incidents that impact customer information. Covered entities will also have to periodically complete new risk assessments to evaluate their security measures and monitor the efficacy of the program.
The law also creates new rules for reporting data breaches. Namely, covered financial companies must notify the North Dakota Commissioner of the Department of Financial Institutions if there is a “notification event.” A notification event occurs when an unauthorized person accesses unencrypted customer information. If this event involves the information of at least 500 customers, the company must notify the Commissioner as soon as possible, but no later than 45 days after discovering the issue. The law states that a covered entity “discovers” an event as soon as any employee, officer, or agent of the corporation learns about it.
*James O'Reilly is a Cybersecurity and Privacy Fellow in the firm’s Chicago office.
Putting it Into Practice: Financial corporations regulated by the North Dakota department of financial institutions should take note of these changes and make updates as might be needed to their security program and incident response plan prior to August 1st.
