Oklahoma recently enacted Senate Bill 626, which substantially amends the state’s data breach notification law to broaden the scope of notification obligations and add a new regulator notification requirement along with a new “safe harbor”-style provision that provides liability protections if certain security measures are implemented.  The changes to Oklahoma’s law follow changes to other state data breach notification laws within the past year, including New York’s addition of a 30-day deadline for notice to individuals (added in early 2025) and Pennsylvania’s addition of a regulator notification requirement and obligations to provide free credit monitoring (added in mid-2024).  Key updates from Oklahoma’s bill, which will go into effect on January 1, 2026, are discussed in further detail below.

  • Changes to the Definition of Personal Information.  Similar to other state data breach notification laws, Oklahoma’s existing law requires notification to state residents following a “breach” of unencrypted computerized data that includes personal information.  The bill will expand the definition of personal information to include, among other data elements, an individual’s name in combination with (1) “other unique identification numbers” that are “created or collected by a government entity”; (2) “unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account”; or (3) “unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual.”
  • New Regulator Notification Requirement.  Once the bill’s changes become effective, Oklahoma will require entities to notify the Attorney General of breaches involving 500 or more residents.  The threshold is higher—1,000 or more residents—for breaches of credit bureau security systems.  Notice to the Attorney General must be provided no more than 60 days after providing notice to individual residents (which must be made “without unreasonable delay,” subject to exceptions), and the notice to the Attorney General must include:
    •  the date of the breach;
    • the date of the breach determination;
    • the nature of the breach;
    • the type of personal information exposed;
    • the number of Oklahoma residents affected;
    • the estimated monetary impact of the breach (if it can be determined); and
    • any “reasonable safeguards” the entity employs (defined as discussed below).
  • New Sector-Specific Notification Safe Harbors.  The bill expands Oklahoma’s sector-specific safe harbor provisions to deem entities that are compliant with the Gramm-Leach-Bliley Act (GLBA), the Oklahoma Hospital Cybersecurity Protection Act, and/or the Health Insurance Portability and Accountability Act (HIPAA), as compliant with Oklahoma’s individual notification requirements as long as the entities provide any required notice to the Attorney General.
  • Affirmative Defense for “Reasonable Safeguards.”  While Oklahoma’s existing data breach notification law provides for civil penalties of up to $150,000 per breach for violations of the law, the bill states that entities that use “reasonable safeguards” and provide notice in accordance with the statute will not be subject to civil penalties and can use such compliance as an affirmative defense in civil actions filed under the statute.  Reasonable safeguards are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information.”  (This affirmative defense could be construed narrowly, since it may be challenging to demonstrate that safeguards are “reasonable” where they must “ensure personal information is secure[.]”)  Further, the bill states that the term includes, but is not limited to, “conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan.”  If an entity fails to use reasonable safeguards but provides notice in accordance with the law, civil penalties will be capped at $75,000 plus actual damages.

Tags: Cybersecurity, Data Breach, Oklahoma
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

Read more about Caleb SkeathEmail
Show more Show less
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Read more about Micaela McMurroughEmail
Show more Show less
Photo of Emily Pehrsson Emily Pehrsson

Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings.

Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings. Emily also counsels clients on topics such as cyber incident response, compliance with state and federal privacy and cybersecurity regulations, and government investigations. She routinely advises on complex national security and financial privacy regulatory frameworks.

In addition to her regular practice, Emily maintains a pro bono practice counseling small and nonprofit clients on privacy and cybersecurity, supporting domestic violence survivors, and handling criminal matters.

Read more about Emily PehrssonEmail
Show more Show less
Photo of Sierra Stubbs Sierra Stubbs

Sierra Stubbs advises clients on a wide range of cybersecurity, data privacy, artificial intelligence, and public policy matters. As part of her data privacy and cybersecurity practice, Sierra helps clients navigate government and internal investigations, cybersecurity incident response, and compliance with U.S. state…

Sierra Stubbs advises clients on a wide range of cybersecurity, data privacy, artificial intelligence, and public policy matters. As part of her data privacy and cybersecurity practice, Sierra helps clients navigate government and internal investigations, cybersecurity incident response, and compliance with U.S. state and federal privacy and cybersecurity laws and standards. As part of her public policy practice, Sierra supports the development of clients’ public policy strategies and initiatives, including those related to intellectual property, innovation, and artificial intelligence.

Prior to joining Covington, Sierra served in the Office of the Chief of Staff to the U.S. Secretary of Commerce, most recently as a Special Advisor.

Read more about Sierra StubbsEmail
Show more Show less