On May 28, 2025, Oklahoma Senate Bill 626 became law without the Governor’s signature.  The legislation amends Oklahoma’s data breach notification law and will go into effect January 1, 2026.

The amendments include expansion of the definition of “personal information” by including, in combination with an individual’s first name or initial and last name:

  • any required expiration date in combination with a financial account number or credit or debit card number;
  • a unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
  • a unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual.

If a breach of a security system affects 500 or more residents, notification to the Attorney General is required within 60 days and must include:

  • the date of the breach;
  • the date of its determination;
  • the nature of the breach;
  • the type of personal information exposed;
  • the number of residents affected;
  • the estimated monetary impact of the breach; and
  • any reasonable safeguards the entity employs.

Currently, the Act provides for civil penalties not to exceed $150,000, and the amendments state that “[c]ivil penalties shall be based upon the magnitude of the breach, the extent to which the behavior of the individual or entity contributed to the breach, and any failure to provide the notice required by Section 163 of this title.”

The amendments also address the using, and failing to use, reasonable safeguards.  “Reasonable safeguards” are defined as “policies and practices that ensure personal information is secure, taking into consideration an entity’s size and the type and amount of personal information. The term includes, but is not limited to, conducting risk assessments, implementing technical and physical layered defenses, employee training on handling personal information, and establishing an incident response plan.”

The amendments provide that an individual or entity that uses reasonable safeguards and provides proper breach notifications will not be subject to civil penalties and will have an affirmative defense.  On the other hand, failure to use reasonable safeguards can result in a civil penalty of $75,000, provided the breach notification requirements are met.  In either case, if the notification requirements are not met, then the higher $150,000 civil penalty cap applies.

For a chart comparing the state comprehensive data privacy laws, visit RMAI’s Privacy and Data Security Resource Center (login required).

RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.