ARTICLE
20 June 2025

North Dakota Passes New Data Security Law For "Financial Corporations"

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
North Dakota recently passed a law establishing new rules for certain financial companies operating in the state – specifically "financial corporations." The new obligations will take effect on August 1, 2025.
United States North Dakota Corporate/Commercial Law
Liisa M. Thomas,Kathryn Smith, and James O'Reilly
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp topic(s)

North Dakota recently passed a law establishing new rules for certain financial companies operating in the state – specifically "financial corporations." The new obligations will take effect on August 1, 2025. They will apply to businesses that the North Dakota department of financial institutions regulates. Financial institutions (like banks and loan companies) and credit unions are not regulated by that entity.

Under the new requirements, covered entities must create a written information security program and designate a person to oversee that program. Covered entities must base their information security programs on a written risk assessment that identifies risks to their customers' information. The program includes breach response and reporting provisions for incidents that impact customer information. Covered entities will also have to periodically complete new risk assessments to evaluate their security measures and monitor the efficacy of the program.

The law also creates new rules for reporting data breaches. Namely, covered financial companies must notify the North Dakota Commissioner of the Department of Financial Institutions if there is a "notification event." A notification event occurs when an unauthorized person accesses unencrypted customer information. If this event involves the information of at least 500 customers, the company must notify the Commissioner as soon as possible, but no later than 45 days after discovering the issue. The law states that a covered entity "discovers" an event as soon as any employee, officer, or agent of the corporation learns about it.

Putting it Into Practice: Financial corporations regulated by the North Dakota department of financial institutions should take note of these changes and make updates as might be needed to their security program and incident response plan prior to August 1st.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kathryn Smith
Kathryn Smith
Photo of James O'Reilly
James O'Reilly
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More