The Oklahoma state flag waving along with the national flag of the United States of America

Key point: Oklahoma recently updated its breach notification statute for the first time since enactment, aligning with broader state trends and underscoring the ongoing, continuous review of data breach notification laws by lawmakers.

Effective January 1, 2026, Oklahoma’s Senate Bill 626 substantially revises the state’s data breach notification statute by expanding the definition of personal information, introducing a regulatory notice requirement, and updating safe-harbor exemptions. The amendments are the first changes to the law since it was enacted in 2008 and are consistent with trends in other states in recent years. For example, California adopted similar amendments set to take effect on January 1, 2026.

The below article provides an overview of the amendments.

SB-626 Amendments

Personal Information Broadened

Currently, Oklahoma’s data breach notification statute defines personal information as an individual’s first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the state when the data elements are neither encrypted nor redacted:

  • Social Security number;
  • Driver’s license or state identification card number;
  • Financial account, credit or debit card number, in combination with any required security or access code or password permitting access to a resident’s financial account.

SB-626 broadens the definition to include:

  • A unique electronic identifier or routing code in combination with any required security code, access code, or password that would permit access to an individual’s financial account, and
  • Unique biometric data such as a fingerprint, retina or iris image, or other unique physical or digital representation of biometric data to authenticate a specific individual.

Regulatory Notice Now Required

Since enactment, Oklahoma’s data breach notification statute has not required notice to state regulators. Beginning January 1, 2026, covered entities that must notify 500 or more affected residents must also notify the attorney general without unreasonable delay and no later than 60 days after providing notice to residents. The notice must include:

  • Date of the breach;
  • Date the breach was determined;
  • Nature of the breach;
  • Types of personal information involved;
  • Number of affected Oklahoma residents;
  • Estimated monetary impact (to the extent determinable); and
  • “Reasonable safeguards” employed.

The law defines “reasonable safeguards” as security measures appropriate to an entity’s size and data profile, including risk assessments, layered technical/physical defenses, employee training, and an incident response plan.

In addition to notifying the attorney general, the law requires covered entities to notify credit bureaus when a breach involves more than 1,000 residents.

Revised Safe Harbors

SB 626 expands and specifies the categories of entities deemed compliant with notification obligations, contingent on providing notice to the attorney general. Entities compliant with any of the following frameworks are likewise deemed compliant:

  • Gramm-Leach-Bliley Act (GLBA);
  • Oklahoma Hospital Cybersecurity Protection Act; and
  • Health Insurance Portability and Accountability Act (HIPAA).

Penalty Exemptions and Caps

Under current law, Oklahoma’s data breach notification statute authorizes civil penalties of up to $150,000 per breach for violations. Entities that implement reasonable safeguards may invoke this compliance as an affirmative defense against civil penalties. However, if an entity fails to use reasonable safeguards but provides notice in accordance with the law, civil penalties are capped at $75,000, plus actual damages.

What Should You Do?

Oklahoma’s amended breach notification statute is set to take effect on January 1, 2026. As we approach the end of the year, companies should:

  • Review and Evaluate Existing Security Safeguards. While there is no such thing as perfect security, now is a good time to assess current practices and security tooling relative to the company’s size. These types of questions are likely to arise more frequently, regardless of legal requirements.
  • Be Attentive to Response Deadlines. Notice deadlines differ from state to state and may vary depending on whether the notice is intended for regulators or consumers. It is important to carefully monitor these timelines and update any existing policies or procedures. As demonstrated by Oklahoma’s amendments, providing timely notice can be beneficial by helping to minimize civil monetary penalties.
  • Test the Effectiveness of a Response. An effective way to assess a company’s safeguards and understanding of notice requirements is to put its response procedures to the test. By conducting a tabletop exercise that simulates a realistic and relevant breach scenario, companies can gauge the organization’s readiness and identify areas that need improvement.