Can I avoid having a data breach response plan in North Dakota? What are the requirements?

To comply with North Dakota law, entities that handle personal information are required to have a data breach response plan ^[5.1]. The plan must be consistent with the timing requirements of the law and must notify subject individuals in accordance with its policies in the event of a breach of security of the system ^[5.1]. Additionally, licensees must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee’s information system ^[4.2]. The information security program must be designed to protect the security and confidentiality of nonpublic information and the security of the information system, protect against any threats or hazards to the security or integrity of nonpublic information and the information system, protect against unauthorized access to or use of nonpublic information, and minimize the likelihood of harm to any consumer ^[4.2].

Based on the documents provided, it is not possible to avoid having a data breach response plan in North Dakota if an entity handles personal information. Therefore, it is required to have a data breach response plan in North Dakota.

Source(s):

• [5.1] Alternate compliance.
• [4.2] Information security program.

Jurisdiction

North Dakota

• Privacy