On April 11, 2025, North Dakota Governor Kelly Armstrong signed into law House Bill 1127 which is nearly identical to the Gramm-Leach-Bliley Act Safeguards Rule, including the more recent amendments regarding data breach notifications. The law will go into effect August 1, 2025.
Applicability
The law applies to “financial corporations,” which are “all entities regulated by the department of financial institutions, excluding financial institutions and credit unions.” That includes:
- Collection agencies;
- Debt settlement service providers;
- Deferred presentment (payday) service providers;
- Money brokers;
- Money transmitters;
- Mortgage loan originators; and
- Mortgage loan servicers.
Similarity to GLBA Safeguards Rule
Commissioner Lisa Kruse testified that the Department of Financial Institutions wanted to have the same cybersecurity protection authority over nonbank financial institutions as the federal government. She went on to say:
“So, this bill is a Model Law that will add the FTC Safeguards rule into state statute, and the reason why this would be needed in state statute is due to the lack of clarity whether we as a state can enforce compliance with the federal rules directly. We may identify failures in compliance during our exams and by adopting this Model Law, we are provided then with enforcement authority and the ability to address specific needs such as data breach notifications. It is important to note that this statute does not create any additional burden or rules for the industry because these companies are already subject to the those.”
That appears to be largely accurate as the definitions, standards for safeguarding customer information, and security program elements are nearly identical to those in the Safeguards Rule.
Data Breach Notifications
Like the Safeguards Rule, the North Dakota law requires notice if a notification event “involves the information of at least five hundred consumers,” though the notice is to the Commissioner rather than the Federal Trade Commission.
The definition of “consumer” is not limited to residents, and is defined, in part, as “an individual, or that individual’s legal representative, who applies for or has obtained a financial product or service from a financial corporation,” i.e., from an entity “regulated by the department of financial institutions, excluding financial institutions and credit unions.”
It should be noted that North Dakota’s data breach notification statutes, N.D. Cent. Code § 51-30-01, et seq., still apply and require notification to residents, as well to the attorney general if the breach affects more than 250 individuals.
This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.