Senate Bill 626 Summary

• Requires entities that own or license computerized data containing personal information to notify Oklahoma residents of security breaches affecting unencrypted and unredacted personal data without unreasonable delay.

• Mandates notification to the Oklahoma Attorney General within 60 days of notifying residents for breaches affecting 500 or more residents (or 1,000 or more for credit bureaus), including details on breach date, nature, affected data types, number of residents impacted, and estimated monetary damages.

• Establishes civil penalties up to $150,000 per breach for violations, with reduced penalties of $75,000 for entities that provide notice but fail to use reasonable safeguards; exempts entities using reasonable safeguards and providing proper notice from civil penalties.

• Deems financial institutions, hospitals complying with HIPAA or the Oklahoma Hospital Cybersecurity Protection Act of 2023, and entities following federal regulator requirements to be in compliance with notification requirements if they notify the Attorney General.

• Takes effect January 1, 2026, applying to breaches discovered, determined, or notified on or after that date.