On April 11, 2025, North Dakota Governor Kelly Armstrong signed HB 1127 (the Act) into law.
The Act, which takes effect on August 1, 2025, establishes new data security requirements for certain financial institutions and nonbanking financial service providers. In addition, the Act amends multiple sections related to financial institution licensing and oversight.
Which Financial Institutions are Regulated?
The Act regulates “financial corporations” and certain “financial institutions” (together, “Covered Organizations”). Specifically, the Act regulates mortgage lenders, debt collection agencies, debt settlement providers, money brokers, and payday lenders; banks, credit unions and other organizations regulated by the North Dakota Department of Financial Institutions are explicitly exempted.
What is Required under the Act?
The Act creates a new set of requirements for Covered Organizations with respect to development and maintenance of information security programs. These requirements include:
Governance Structure
- designation of a qualified individual responsible for implementation and enforcement of information security program (e.g., a Chief Security Officer or equivalent);
- creation of oversight protocols when the qualified individual is employed by a third-party service provider;
- annual written reporting of performance of information security program to the board of directors or equivalent governing body.
Risk Assessment
- periodic written risk assessments identifying foreseeable internal and external threats;
- development of internal risk categorization methodology and protocols for risk acceptance or mitigation.
Safeguards
- adoption of access controls with authentication protocols (e.g., multi-factor authentication);
- encryption at rest and in transit of consumer information;
- development and testing of a robust, written, incident response plan;
- implementation of change management procedures;
- monitoring and logging of authorized user activity;
- annual penetration tests and biannual vulnerability assessments unless continuous monitoring is in place.
Personnel and Service Provider Management
- security awareness and training programs;
- service provider due diligence, contractual requirements addressing security of customer financial information, and ongoing assessment procedures for third-parties processing consumer information.
What Happens if there is a Security Breach?
Within 45 days after discovery of a security breach impacting 500 or more individuals, Covered Organizations must notify the North Dakota Department of Financial Institutions. A security breach is “discovered” as of the first day the event is known to the Covered Organization, including when the event is known to any employee, officer, or other agent of the Covered Organization. Unlike most state notification laws, the Act does not limit reporting duties to impacted state residents; instead, any individual consumer whose information has been impacted counts towards the reporting requirement.
Penalties and Fines
Although a private right of action does not exist under the Act, the North Dakota Department of Financial Institutions has the power to levy financial penalties and other regulatory actions. This includes issuance of cease-and-desist orders and fees of up to $100,000 per violation, as well as a daily $1,000 penalty for each day a violation continues after service of an order. In some cases, the Department of Financial Institutions can suspend a Covered Organization’s license or revoke it completely. In addition, any executive or employee found individually responsible for violations can be removed from their positions by the Department of Financial Institutions.
What’s Next?
Although the Act does not take effect until August 1, 2025, Covered Organizations will require time to ensure its information security programs meet the new heightened standard. The Act does not provide any delay in enforcement, so Covered Organizations should begin conducting gap analyses immediately to identify where improvements need to be made. Because of the Act’s similarities to the NYDFS Cyber Requirements, Covered Organizations can build upon lessons learned from NYDFS enforcement emphasizing the role of senior management in effective security programs, as well as the necessity of regular assessments and reporting.
For more information on data privacy and security regulations, and other data privacy questions, please visit Taft’s Privacy and Data Security Insights blog, and our LinkedIn page.