ND SB2214

Amends North Dakota law to define "personal information" as an individual's name combined with unencrypted data elements including social security number, driver's license number, financial account numbers with security codes, date of birth, medical information, health insurance information, or digital signatures.

Requires any person conducting business in North Dakota who owns or licenses computerized data containing personal information to notify affected state residents and the attorney general of any security breach involving unencrypted personal information acquired by unauthorized persons.

Establishes a threshold of 250 individuals affected by a breach before the attorney general must be notified by mail or email.

Requires breach notifications to be made in the most expedient time possible without unreasonable delay, while allowing delays consistent with legitimate law enforcement needs or measures necessary to determine breach scope and restore data system integrity.

Excludes publicly available information lawfully disclosed by federal, state, or local government records from the definition of personal information requiring breach notification.