What happened?

On May 28, 2025, Oklahoma Senate Bill 626 became law without the Governor’s signature, significantly strengthening the state’s data breach notification requirements and introducing new protections for residents. This law applies to breaches discovered or notified on or after January 1, 2026.

Overview:

Highlights of the Data Breach Amendment – SB 626

Expanded Definition of Personal Information (Section 1 – 24 O.S. §162): The law broadens what qualifies as personal information to include:

• Government-issued unique identification numbers
• Electronic financial access credentials (e.g., routing codes with passwords)
• Biometric data (e.g., fingerprints, retina scans)

Mandatory Notification to the Attorney General (Section 2 – 24 O.S. §163): Entities must notify the Oklahoma Attorney General within 60 days of informing affected individuals if a breach impacts:

• 500 or more residents, or
• 1,000 or more residents in the case of credit bureau breaches

The notice must include:

• Breach date and determination date
• Nature and type of data exposed.
• Number of residents affected.
• Estimated financial impact.
• Security measures in place

Safe Harbor for Regulated Entities (Section 3 – 24 O.S. §164): Organizations compliant with federal or state cybersecurity laws, such as GLBA, HIPAA, or the Oklahoma Hospital Cybersecurity Protection Act, are exempt from individual notification if they notify the Attorney General.

Affirmative Defense for Reasonable Safeguards (Section 4 – 24 O.S. §165): Entities that implement “reasonable safeguards” and comply with notification rules are protected from civil penalties. These safeguards include:

• Risk assessments
• Layered technical and physical defenses.
• Employee training
• Incident response plans

Penalties: No penalty if safeguards are used and notice is provided

• Entities that fail to use safeguards but still notify affected individuals face a reduced penalty of $75,000 plus actual damages.
• Up to $150,000 per breach if neither safeguards nor proper notice are provided.

Source References

• Oklahoma SB 626 – Security Breach Notification Act; requiring notice of security breach of certain information; modifying provisions. Effective date

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.