OK SB626

Requires entities that experience data breaches affecting Oklahoma residents to notify the Attorney General within 60 days of notifying affected individuals, including details on breach date, nature, type of personal information exposed, number of affected residents, estimated monetary impact, and safeguards employed

Expands the definition of "personal information" to include unique identifiers created or collected by government entities, electronic identifiers or routing codes combined with security credentials, and unique biometric data such as fingerprints, retina images, or iris images

Exempts breaches affecting fewer than 500 Oklahoma residents from Attorney General notification requirements (1,000 residents for credit bureaus)

Provides liability protection for entities using "reasonable safeguards" (risk assessments, technical defenses, employee training, incident response plans) and proper notification procedures; entities failing to use reasonable safeguards but providing proper notice face reduced civil penalties of $75,000 rather than $150,000

Effective January 1, 2026, with compliance exemptions for entities following HIPAA, Gramm-Leach-Bliley Act, Oklahoma Hospital Cybersecurity Protection Act of 2023, or their primary federal regulator's notification requirements