Background

On January 7, 2025, North Dakota’s House Industry, Business, and Labor Committee introduced HB 1127, at the request of the Department of Financial Institutions. HB 1127 successfully passed through both legislative chambers and was signed into law by the Governor on April 11, 2025. This new law focuses on data security requirements for certain financial institutions, creates Chapter 13-01.2 of the North Dakota Century Code, and amends multiple sections related to financial institution licensing and regulatory oversight. The new law goes into effect on August 1, 2025.

The consumer safety mechanisms and mandated requirements included in North Dakota’s HB 1127 may look familiar. HB 1127 has several similarities with of the New York Department of Financial Services (NYDFS) Cybersecurity Requirements.

Similarities to NYDFS Requirements

North Dakota’s HB 1127 and NYDFS Cyber Requirements mandate that financial institutions develop and maintain robust data security programs, which are designed to protect sensitive information from cyber threats. Both regulations also (i) require regular assessments and reporting, including periodic reviews and program updates, based on evolving threats; (ii) outline the scope of entities covered under the regulations; and (iii) emphasize the role of senior management in the effectiveness of the cybersecurity programs and accountability for compliance with security requirements.

Which Financial Institutions Does HB 1127 Affect?

The financial institutions affected by HB 1127 include the following:  trust companies, mortgage lenders, cryptocurrency kiosks, collection agencies, debt settlement providers, money brokers, money transmitters, and payday lenders.  Note that banks, credit unions, and other organizations regulated by the North Dakota Department of Financial Institutions are expressly excluded from the new law.

What Does HB 1127 Do?

New Chapter 13-01.2-02 outlines safeguards for customer information and provides elements for a covered financial corporation to satisfy when constructing their internal security programs.

HB 1127 mandates financial institutions to do the following:

  • Establish robust, written, incident response plans that quickly and effectively address security breaches.
  • Improve data breach notification policies for consumer protection.
  • Enforce penalties for non-compliance, including fines and license revocation.
  • Securely dispose of all customer information, within two years of the information being used in connection with the provision of a product or service, unless:
    • the information is necessary for business operations or legitimate business purposes;
    • the information is otherwise required to be retained by law or regulation; or
    • targeted disposal is not reasonably feasible.
  • Treat notification events as “discovered” as of  the first day the event is known to the financial corporation.
  • Notify the Department of Financial Institutions within 45 days after the discovery of a security breach that affects 500 or more consumers.  Note that, unlike many other states’ laws, North Dakota does NOT limit “consumers” to state residents.
  • Assume responsibility for knowledge of a notification event, if the event is known to any employee, officer, or other agent of the financial corporation, other than the person committing the breach.
  • Periodically review the financial corporation’s data retention policy to minimize unnecessary data retention.

Penalties Associated With Non-Compliance

Non-compliance with North Dakota HB 1127 can result in financial penalties, regulatory action, and serious consequences for financial institutions. The Department of Financial Institutions can issue cease-and-desist orders against financial institutions that violate security regulations, and the requirements set forth by HB 1127. Financial corporations that fail to implement the required security measures are also subject to fines up to $100,000 per violation, along with the option to impose a daily $1,000 penalty for each day the violation continues after service of an order, and repeated violations may result in license suspension or revocation. Moreover, if executives or employees are found individually responsible for violations, regulatory agencies have the authority to remove them from their positions.

Our Take

Financial institutions should carefully study HB 1127 and monitor how the Department of Financial Institutions and/or North Dakota courts interpret these provisions.  It is well understood that consumers have an increasing appetite for strengthened data security requirements and enhanced consumer protections; as a result, state and federal government agencies have implemented more stringent regulatory mandates for financial Institutions, in efforts to (i) bolster entity compliance and reporting, (ii) ensure more effective data security programs, (iii) implement additional safeguards for customer information, and (iv) establish more efficacious accountability protocols.

As a practical matter, the data breach notice requirements may be difficult to comply with in your average incident for many financial institutions that are licensed in North Dakota, but only do a small amount of their business there.   While the 500 consumer threshold is quite reasonable, in many cyber incidents it can take weeks upon weeks to identify the entire populations of impacted consumers and learn of their current residency.  As a result, a covered institution may not learn it has 500 impacted consumers until the 45 days has expired from its first notice of the event to a single employee at the company.  Licensed institutions may therefore have to choose to notify  the Department of Financial Institutions early even though it’s possible that the licensed institution actually does not have any legal obligation to notify the Department.