1.Expanded Definition of Personal Information

SB 626 expands the scope of what qualifies as personal information under Oklahoma law. In addition to traditional data points such as names and Social Security numbers, the revised law includes biometric identifiers like fingerprints and retina scans, as well as unique electronic identifiers or routing codes that, when combined with access credentials, could permit access to financial accounts. This update brings Oklahoma’s definition more in line with emerging threats in the cybersecurity space, particularly as identity theft and unauthorized access increasingly rely on non-traditional data.

2.New Reporting Requirement to the Attorney General

Entities experiencing a breach that affects more than 500 Oklahoma residents—or over 1,000 in the case of credit reporting agencies—will be required to report the incident to the Oklahoma Attorney General no later than 60 days after notifying impacted individuals. The report must include key details such as the date of the breach, the nature of the compromised information, the number of Oklahoma residents affected, the estimated financial impact, and what safeguards were in place at the time of the breach.

Entities already subject to HIPAA or the Oklahoma Hospital Cybersecurity Protection Act are exempt from individual notifications, provided they still notify the Attorney General under the new provisions.

3.Affirmative Defense for Entities with Reasonable Safeguards

SB 626 introduces a valuable affirmative defense for businesses that implement reasonable safeguards to protect personal data. These safeguards are expected to reflect the size and scope of the organization and may include things like regular risk assessments, employee training, layered technical defenses, and formal incident response plans. If an entity can demonstrate that it had these measures in place and followed them, it may be shielded from enforcement penalties in the event of a breach.

4.Enforcement and Civil Penalties

Entities that fail to comply with the amended law may be subject to civil penalties, with fines reaching up to $150,000 per breach. However, those that demonstrate compliance with both the safeguard and notification requirements can use the affirmative defense to mitigate or avoid penalties. This balance between enforcement and leniency aims to encourage proactive compliance rather than merely punitive enforcement after the fact.

5.What to Do Before January 1, 2026

Businesses operating in Oklahoma—or handling personal information tied to Oklahoma residents—should start preparing now. This includes reviewing existing breach response plans, updating data classification frameworks, ensuring appropriate internal and vendor-facing controls are in place, and confirming that breach notification workflows include the Attorney General’s office where required. Employee training and legal review of contracts and policies will also be essential to align with the expanded requirements.

For further guidance or to assess your organization’s readiness, feel free to reach out—we’re here to help you stay ahead of these evolving state-level requirements.