New Data Security Law Targets North Dakota Financial Services

A North Dakota law, signed by Governor Kelly Armstrong on April 11, will establish new data security requirements for certain financial institutions and non-banking financial service providers. Its provisions, effective August 1, are summarized in a post by attorney Zachary Heck from the Taft law firm.

Among the entities covered are mortgage lenders, debt collection agencies, debt settlement providers, and payday lenders. Banks, credit unions, and other entities regulated by North Dakota’s Department of Financial Institutions are exempted.

The law requires affected organizations to establish a governance structure, including a qualified chief security officer or equivalent, to be responsible for implementing and enforcing an information security program.

Other requirements include conducting periodic internal risk assessments, implementing access controls and authentication protocols, encrypting consumer information, and performing regular penetration and vulnerability assessments.

The law also specifies that within 45 days of discovering a security breach affecting 500 or more people, the organization must notify the state’s Department of Financial Institutions.

The author notes that this provision, unlike similar provisions in most state notification laws, requires that the tally of affected consumers include persons who are not state residents. 

Potential penalties include cease-and-desist orders, fees of up to $100,000 per violation, with additional penalties for each day a violation continues after receipt of an order, and possible suspension or revocation of a license or removal of specified executives or other employees from their positions. 

The requirements of the North Dakota data security law are similar in some respects to those of the widely emulated New York Department of Financial Services (NYDFS) Cybersecurity Regulation, which emphasizes “the role of senior management in effective security programs, as well as the necessity of regular assessments and reporting.”