Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?


It's statutes may include:

  • Specific notification delivery;
  • Data owner responsibility for reporting and notifications;
  • Vendors must notify the ND Data Owner immediately if breached;
  • State attorney general may nee dto be notified;
  • State attorney general has authority to investigate non-compliance issues.  Person can receive an injunction, cease & desist order, or fines of $5,000 per violation;
  • Injured individuals may file suit for out-of-pocket losses;

Who Me?


North Dakota breach and notification laws may apply if you are any person that:

  • Owns or licenses computerized data containing PII;
  • Maintains computerized data that they do not own and includes PII.

There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply.

What is PII?


PII relevant to a breach includes a name with one or more of the following:

  • Social security, operator’s license, or non-driver identification numbers;
  • Financial account or credit or debit card numbers, with security/access codes, or passwords allowing access to the account;
  • Date of birth;
  • Maiden name of individual's mother;
  • Medical/Health information;
  • ID Number assigned by employer with security/access codes, or passwords
  • Digitized or other electronic signature



The statutes include, but are not limited to:

North Dakota Century Code / Title 51-30: Notice Of Security Breach For Personal Information / §51-30-01 to 51-30-07


The statutes include, but are not limited to:

North Dakota Century Code / Title 51-07: Miscellaneous Provisions / §51-07-27



The state attorney general enforces the law and may conduct an investigation, seek an injunction, issue an order to cease and desist, and more. The court may issue a civil penalty of $5,000 per violation. Injured individuals may file suit for out-of-pocket losses.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was secured by encryption or any other method;
  • If the data included any kind of key, password, etc.;
  • If it was acquired by an unauthorized person.


Notification may be delayed if law enforcement advises the person it will interfere with an investigation, otherwise the notification must be made in the most expedient time possible and without unreasonable delay.


Requires detailed information and potential provision of services

The notification may be delivered in written form or electronically (consistent with US Code Section 7001 of Title 15).

A substitute notice, with specific requirements, may be sent if the cost of providing the notice would exceed $250,000, or the persons to be notified exceeds 500,000, or they do not have sufficient contact information.

Contact the Privacy Experts at CSR