# North Dakota Consumer Privacy Law[^about] North Dakota has no comprehensive consumer-privacy statute. Chapter 51-30 governs breach notification, enforced through the ch. 51-15 consumer-fraud law, and a 2025 chapter imposes data-security duties on state-regulated financial corporations. ## Which privacy laws apply to your business in North Dakota? {#which-privacy-laws-apply} **Short answer.** There is no comprehensive North Dakota consumer-privacy law. The operative state statute for most businesses is chapter 51-30 of the Century Code, a breach-notification law that applies to any person that owns or licenses computerized data that includes personal information of North Dakota residents — with no revenue or consumer-volume threshold [^stat-51-30-02-duty]. Day-to-day data practices are policed instead by the state consumer-fraud law, chapter 51-15, which declares deceptive acts or practices in connection with the sale or advertisement of merchandise unlawful [^stat-51-15-02-deception]. And since 2025, a third state law applies to one sector: chapter 13-01.2 requires every state-regulated *financial corporation* to develop, implement, and maintain a comprehensive information security program [^stat-13-01-2-program]. North Dakota residents do not have general state-law rights to access, delete, correct, or port their personal data, and no state statute gives them a right to opt out of its sale or requires businesses to honor universal opt-out signals. There are likewise no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties of the kind found in other states' comprehensive consumer-privacy acts. What North Dakota has instead is a sectoral, layered framework: the breach-notification chapter sets the one statewide incident-response duty, the consumer-fraud law supplies the enforcement engine, and the 2025 financial-corporation chapter adds a GLBA-style security program for entities the Department of Financial Institutions regulates. The consumer-fraud law sweeps broadly — *merchandise* is defined to include intangibles and services as well as goods [^stat-51-15-01-merchandise] — so data-related misrepresentations by most consumer-facing businesses fall within its reach. The rest of a North Dakota-facing privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy and data-security practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. None of those is a North Dakota statute, but together with chapters 51-30, 51-15, and 13-01.2 they are what actually shapes a compliant program today. This note is written to stay durable: if North Dakota later enacts a comprehensive law, a program built to this overlay upgrades rather than restarts. ## What must your North Dakota privacy policy contain? {#privacy-policy-contents} **Short answer.** No North Dakota statute requires a general consumer privacy policy or fixes what it must say. For most businesses the governing rule is that whatever you publish has to be true: under Section 5 of the FTC Act, a policy that misstates how you collect, use, share, retain, or secure data is a deceptive practice [^fed-ftc5-deceptive], and North Dakota's consumer-fraud law reaches the same conduct as a deceptive act or practice — and separately condemns practices that are unconscionable or cause substantial, unavoidable injury to consumers [^q2-stat-51-15-02-unlawful]. Where a sectoral regime applies, that regime supplies the contents instead [^fed-hipaa-notice]. In practice the drafting question in North Dakota is less what must be included and more does the policy match actual practice. Build the policy from the federal and sectoral overlay. A financial institution must give consumers a privacy notice before disclosing nonpublic personal information to nonaffiliated third parties under the GLBA [^fed-glba-notice]. A HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's legal duties [^fed-hipaa-notice]. An operator of a website or online service directed to children must post notice of what information it collects from children, how it uses that information, and its disclosure practices [^fed-coppa-notice]. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because the enforceable obligation is consistency between the statement and the conduct. There is no North Dakota-mandated checklist to cite here, which is itself the point: the contents are overlay-driven, not state-statute-driven. ## What must your contracts with vendors say? {#vendor-contracts} **Short answer.** North Dakota has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The one state law that mandates vendor contract terms is sector-specific: a *financial corporation* covered by the 2025 data-security chapter must oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards [^stat-13-01-2-vendor-oversight]. Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to require their service providers by contract to implement and maintain appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a written business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before protected health information changes hands [^fed-hipaa-baa]. The 2025 North Dakota chapter imports the same model into state law for entities regulated by the Department of Financial Institutions — selection diligence, contractual safeguard requirements, and periodic risk-based reassessment of each provider [^stat-13-01-2-vendor-oversight]. Outside those regimes, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no North Dakota statute compels them. The breach-notification chapter touches vendors only narrowly: a person that maintains computerized personal information it does not own must notify the owner or licensee immediately after discovering a breach [^q3-stat-51-30-03-vendor-notice], which is a reason to fix notice timelines and cooperation duties in the contract before an incident, not after. ## When must you notify people of a data breach in North Dakota? {#breach-notification} **Short answer.** Any person that owns or licenses computerized data including personal information must notify every North Dakota resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person [^q4-stat-51-30-02-resident-notice]. If the breach exceeds two hundred fifty individuals, the person must also notify the Attorney General, and the disclosure must be made in the most expedient time possible and without unreasonable delay [^stat-51-30-02-ag-timing]. A reportable breach is the unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or an equivalent method [^stat-51-30-01-breach-def]. This is the one prong where North Dakota imposes a hard statutory duty, so it is the center of any North Dakota incident-response plan. The trigger is *acquisition* of unencrypted data — encryption is a safe harbor built into the definition of a breach, and good-faith acquisition by an employee or agent does not count if the information is not further misused [^stat-51-30-01-breach-def]. The definition of *personal information* is notably broad: beyond the usual name-plus-identifier combinations — Social Security number, driver's license or state ID number, financial-account or card number with its access code — it also reaches a resident's name combined with date of birth, mother's maiden name, medical information, health insurance information, an employer-assigned ID number with an access code, or an electronic signature [^stat-51-30-01-personal-info]. Several of those elements, such as date of birth, are not breach-notice triggers in most states, so a multistate incident can be reportable in North Dakota even when it is not reportable elsewhere. The mechanics follow the familiar national pattern. A vendor that maintains data it does not own must notify the owner or licensee immediately following discovery [^q4-stat-51-30-03-vendor-notice]. Notice may be delayed if a law enforcement agency determines it would impede a criminal investigation, and must then be made once the agency clears it [^stat-51-30-04-delay]. Notice may be written or electronic, with substitute notice — email, conspicuous website posting, and statewide media — available when the cost of direct notice would exceed two hundred fifty thousand dollars, the affected class exceeds five hundred thousand persons, or contact information is insufficient [^stat-51-30-05-substitute]. Two compliance off-ramps matter in practice: a person that follows its own breach-notification procedures under an information security policy consistent with the chapter's timing requirements is deemed compliant [^stat-51-30-06-own-policy], and financial institutions following the federal interagency guidance, as well as HIPAA covered entities, business associates, and subcontractors subject to the HIPAA breach-notification rule, are deemed compliant as well [^stat-51-30-06-deemed-compliance]. ## What does North Dakota's 2025 financial data-security law require? {#financial-data-security} **Short answer.** In 2025 North Dakota enacted chapter 13-01.2, which requires every covered *financial corporation* to develop, implement, and maintain a comprehensive information security program [^q5-stat-13-01-2-program]. The chapter reaches entities regulated by the Department of Financial Institutions other than banks and credit unions — *financial corporation* is defined as all entities regulated by the department, excluding financial institutions and credit unions [^stat-13-01-2-scope] — so it covers nondepository licensees such as lenders, brokers, and servicers under the department's supervision. The chapter is built on the model of the federal GLBA Safeguards Rule, which likewise requires designating a qualified individual to oversee, implement, and enforce the information security program [^q5-fed-glba-qualified]. The North Dakota version requires the same designation [^stat-13-01-2-qualified], a written risk assessment, and risk-based safeguards that include encrypting all customer information in transit over external networks and at rest, with compensating controls allowed only when the qualified individual approves them after finding encryption infeasible [^stat-13-01-2-encryption]. Multifactor authentication is required for any individual accessing any information system unless the qualified individual approves an equivalent or stronger control in writing [^stat-13-01-2-mfa]. The program must also cover penetration testing and vulnerability assessments [^stat-13-01-2-testing], personnel training [^stat-13-01-2-training], service-provider oversight, an incident response plan [^stat-13-01-2-irp], and an annual written report to the board or a senior officer [^stat-13-01-2-annual-report]. The chapter adds its own regulator-notification clock, separate from the chapter 51-30 consumer-notice duty: after discovering a *notification event* involving the information of at least five hundred consumers, the financial corporation must notify the Commissioner of the Department of Financial Institutions as soon as possible and no later than forty-five days after discovery [^stat-13-01-2-notify]. The chapter's one carve-out is narrow on its face: section 13-01.2-04 states that the written-risk-assessment, penetration-testing and vulnerability-assessment, incident-response-plan, and annual-reporting elements do not apply to *financial institutions* that maintain customer information concerning fewer than five thousand consumers [^stat-13-01-2-exemption]. For a covered entity, the practical upshot is that a program already built to the FTC Safeguards Rule maps nearly one-to-one onto the new state chapter, but the forty-five-day report runs to the state commissioner and must be tracked alongside the federal thirty-day FTC notice [^q5-fed-glba-ftc-notice]. ## Can a consumer sue your business in North Dakota over privacy? {#consumer-lawsuit} **Short answer.** The breach-notification chapter is built for public enforcement: the Attorney General may enforce it with all the powers and remedies of the consumer-fraud law, and a violation of the breach chapter is deemed a violation of chapter 51-15 [^stat-51-30-07-ag-enforce]. But the chapter expressly states that its remedies are not exclusive and sit on top of all other causes of action and remedies under chapter 51-15 or otherwise provided by law [^stat-51-30-07-not-exclusive], and chapter 51-15 itself preserves private claims: it does not bar any claim for relief by any person against a defendant who acquired money or property through an unlawful practice, with treble damages available for knowing conduct plus mandatory costs and attorney's fees [^stat-51-15-09-private]. Public enforcement is the primary channel. The Attorney General may seek and obtain a district-court injunction against any practice declared unlawful by the consumer-fraud law [^stat-51-15-07-injunction], and the court may assess a civil penalty of up to five thousand dollars for each violation [^stat-51-15-11-penalty]. Because a breach-chapter violation is deemed a chapter 51-15 violation, those tools — investigation, subpoenas, injunctions, cease-and-desist orders, and penalties — all apply to a failure to give breach notice. The private path is narrower than the public one, and its boundary comes from the statutory text. Section 51-15-09 conditions private recovery on the defendant having acquired money or property by means of the unlawful practice, so the claim fits most naturally where a data-related misrepresentation induced a purchase — a privacy promise that helped sell the product — and less naturally where the only wrong is a bare failure to notify after a breach. No quoted authority in this note resolves how far courts will take that bridge from the breach chapter into § 51-15-09, so treat the private exposure as real but untested at its edges. A private claim under the consumer-fraud law must be brought within four years, and the clock does not start until the aggrieved party discovers the facts constituting the violation [^stat-51-15-12-limitations]. The treble-damages and fee-shifting provisions make even individually small claims economically viable for plaintiffs when knowing conduct can be shown [^stat-51-15-09-private], which is the practical reason to treat published privacy statements in North Dakota with the same care as advertising copy. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not North Dakota. This article synthesizes North Dakota primary law and is not legal advice from a North Dakota-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^stat-51-30-02-duty]: **N.D. Cent. Code § 51-30-02** — "Any person that owns or licenses computerized data that includes personal information, shall disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-02.* [^stat-51-15-02-deception]: **N.D. Cent. Code § 51-15-02** — "The act, use, or employment by any person of any deceptive act or practice, fraud, false pretense, false promise, or misrepresentation, with the intent that others rely thereon in connection with the sale or advertisement of any merchandise, whether or not any person has in fact been misled, deceived, or damaged thereby, is declared to be an unlawful practice." *N.D. Cent. Code § 51-15-02.* [^stat-13-01-2-program]: **N.D. Cent. Code § 13-01.2-02** — "A financial corporation shall develop, implement, and maintain a comprehensive information security program." *N.D. Cent. Code § 13-01.2-02(1).* [^stat-51-15-01-merchandise]: **N.D. Cent. Code § 51-15-01** — "‘Merchandise’ means any objects, wares, goods, commodities, intangibles, real estate, charitable contributions, or services." *N.D. Cent. Code § 51-15-01(3).* [^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q2-stat-51-15-02-unlawful]: **N.D. Cent. Code § 51-15-02** — "The act, use, or employment by any person of any deceptive act or practice, fraud, false pretense, false promise, or misrepresentation, with the intent that others rely thereon in connection with the sale or advertisement of any merchandise, whether or not any person has in fact been misled, deceived, or damaged thereby, is declared to be an unlawful practice. The act, use, or employment by any person of any act or practice, in connection with the sale or advertisement of any merchandise, which is unconscionable or which causes or is likely to cause substantial injury to a person which is not reasonably avoidable by the injured person and not outweighed by countervailing benefits to consumers or to competition, is declared to be an unlawful practice." *N.D. Cent. Code § 51-15-02.* [^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* [^fed-glba-notice]: **GLBA privacy notice** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* [^fed-coppa-notice]: **COPPA notice requirement** — "to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information" *15 U.S.C. § 6502(b)(1)(A)(i).* [^stat-13-01-2-vendor-oversight]: **N.D. Cent. Code § 13-01.2-03(8)** — "A financial corporation shall oversee service providers by: a. Taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information; b. Requiring, by contract, the financial corporation's service providers implement and maintain appropriate safeguards; and c. Periodically assessing the financial corporation's service providers based on the risk they present, and the continued adequacy of the service providers' safeguards." *N.D. Cent. Code § 13-01.2-03(8).* [^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must" *45 C.F.R. § 164.504(e)(2).* [^q3-stat-51-30-03-vendor-notice]: **N.D. Cent. Code § 51-30-03** — "Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-03.* [^q4-stat-51-30-02-resident-notice]: **N.D. Cent. Code § 51-30-02** — "Any person that owns or licenses computerized data that includes personal information, shall disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-02.* [^stat-51-30-02-ag-timing]: **N.D. Cent. Code § 51-30-02** — "In addition, any person that experiences a breach of the security system as provided in this section shall disclose to the attorney general by mail or electronic mail any breach of the security system which exceeds two hundred fifty individuals. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in section 51-30-04, or any measures necessary to determine the scope of the breach and to restore the integrity of the data system." *N.D. Cent. Code § 51-30-02.* [^stat-51-30-01-breach-def]: **N.D. Cent. Code § 51-30-01** — "‘Breach of the security system’ means unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable. Good-faith acquisition of personal information by an employee or agent of the person is not a breach of the security of the system, if the personal information is not used or subject to further unauthorized disclosure." *N.D. Cent. Code § 51-30-01(1).* [^stat-51-30-01-personal-info]: **N.D. Cent. Code § 51-30-01** — "‘Personal information’ means an individual's first name or first initial and last name in combination with any of the following data elements, when the name and the data elements are not encrypted: (1) The individual's social security number; (2) The operator's license number assigned to an individual by the department of transportation under section 39-06-14; (3) A nondriver color photo identification card number assigned to the individual by the department of transportation under section 39-06-03.1; (4) The individual's financial institution account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial accounts; (5) The individual's date of birth; (6) The maiden name of the individual's mother; (7) Medical information; (8) Health insurance information; (9) An identification number assigned to the individual by the individual's employer in combination with any required security code, access code, or password; or (10) The individual's digitized or other electronic signature." *N.D. Cent. Code § 51-30-01(4)(a).* [^q4-stat-51-30-03-vendor-notice]: **N.D. Cent. Code § 51-30-03** — "Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following the discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person." *N.D. Cent. Code § 51-30-03.* [^stat-51-30-04-delay]: **N.D. Cent. Code § 51-30-04** — "The notification required by this chapter may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this chapter must be made after the law enforcement agency determines that the notification will not compromise the investigation." *N.D. Cent. Code § 51-30-04.* [^stat-51-30-05-substitute]: **N.D. Cent. Code § 51-30-05** — "Substitute notice, if the person demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or the person does not have sufficient contact information." *N.D. Cent. Code § 51-30-05(3).* [^stat-51-30-06-own-policy]: **N.D. Cent. Code § 51-30-06** — "Notwithstanding section 51-30-05, a person that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this chapter is deemed to be in compliance with the notification requirements of this chapter if the person notifies subject individuals in accordance with its policies in the event of a breach of security of the system." *N.D. Cent. Code § 51-30-06.* [^stat-51-30-06-deemed-compliance]: **N.D. Cent. Code § 51-30-06** — "A financial institution, trust company, or credit union that is subject to, examined for, and in compliance with the federal interagency guidance on response programs for unauthorized access to customer information and customer notice is in compliance with this chapter. A covered entity, business associate, or subcontractor subject to breach notification requirements under title 45, Code of Federal Regulations, subpart D, part 164, is considered to be in compliance with this chapter." *N.D. Cent. Code § 51-30-06.* [^q5-stat-13-01-2-program]: **N.D. Cent. Code § 13-01.2-02** — "A financial corporation shall develop, implement, and maintain a comprehensive information security program." *N.D. Cent. Code § 13-01.2-02(1).* [^stat-13-01-2-scope]: **N.D. Cent. Code § 13-01.2-01** — "‘Financial corporation’ means all entities regulated by the department of financial institutions, excluding financial institutions and credit unions." *N.D. Cent. Code § 13-01.2-01(9).* [^q5-fed-glba-qualified]: **GLBA Safeguards Rule** — "Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program" *16 C.F.R. § 314.4(a).* [^stat-13-01-2-qualified]: **N.D. Cent. Code § 13-01.2-03(1)** — "A financial corporation's information security program must denote a designation of a qualified individual responsible for overseeing and implementing the financial corporation's information security program and enforcing the financial corporation's information security program." *N.D. Cent. Code § 13-01.2-03(1).* [^stat-13-01-2-encryption]: **N.D. Cent. Code § 13-01.2-03(5)(c)** — "Protecting by encryption all customer information held or transmitted by the financial corporation both in transit over external networks and at rest. To the extent a financial corporation determines that encryption of customer information, either in transit over external networks or at rest, is infeasible, the financial corporation may secure customer information using effective alternative compensating controls reviewed and approved by the financial corporation's qualified individual." *N.D. Cent. Code § 13-01.2-03(5)(c).* [^stat-13-01-2-mfa]: **N.D. Cent. Code § 13-01.2-03(5)(e)** — "Implementing multifactor authentication for any individual accessing any information system, unless the financial corporation's qualified individual has approved in writing the use of a reasonably equivalent or more secure access control." *N.D. Cent. Code § 13-01.2-03(5)(e).* [^stat-13-01-2-testing]: **N.D. Cent. Code § 13-01.2-03(6)** — "Information systems monitoring and testing must include continuous monitoring or periodic penetration testing, and vulnerability assessments." *N.D. Cent. Code § 13-01.2-03(6)(b).* [^stat-13-01-2-training]: **N.D. Cent. Code § 13-01.2-03(7)** — "A financial corporation shall implement policies and procedures to ensure the financial corporation's personnel are able to enact the financial corporation's information security program by: a. Providing the financial corporation's personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment; b. Utilizing qualified information security personnel employed by the financial corporation or an affiliate or service provider sufficient to manage the financial corporation's information security risks and to perform or oversee the information security program; c. Providing information security personnel with security updates and training sufficient to address relevant security risks; and d. Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures." *N.D. Cent. Code § 13-01.2-03(7).* [^stat-13-01-2-irp]: **N.D. Cent. Code § 13-01.2-03(10)** — "A financial corporation shall establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information the financial corporation controls." *N.D. Cent. Code § 13-01.2-03(10).* [^stat-13-01-2-annual-report]: **N.D. Cent. Code § 13-01.2-03(11)** — "A financial corporation shall require the financial corporation's qualified individual to report in writing, at least annually, to the financial corporation's board of directors or equivalent governing body. If no board of directors or equivalent governing body exists, the report shall be timely presented to a senior officer responsible for the financial corporation's information security program." *N.D. Cent. Code § 13-01.2-03(11).* [^stat-13-01-2-notify]: **N.D. Cent. Code § 13-01.2-03(12)** — "After discovery of a notification event described in subdivision c, if the notification event involves the information of at least five hundred consumers, the financial corporation shall notify the commissioner as soon as possible, and no later than forty-five days after the event is discovered." *N.D. Cent. Code § 13-01.2-03(12)(b).* [^stat-13-01-2-exemption]: **N.D. Cent. Code § 13-01.2-04** — "Subsection 4, subdivision b of subsection 6, and subsections 10 and 11 of section 13-01.2-03 do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers." *N.D. Cent. Code § 13-01.2-04.* [^q5-fed-glba-ftc-notice]: **GLBA Safeguards Rule** — "Upon discovery of a notification event as described in paragraph (j)(2) of this section, if the notification event involves the information of at least 500 consumers, you must notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery of the event." *16 C.F.R. § 314.4(j)(1).* [^stat-51-30-07-ag-enforce]: **N.D. Cent. Code § 51-30-07** — "The attorney general may enforce this chapter. The attorney general, in enforcing this chapter, has all the powers provided in chapter 51-15 and may seek all the remedies in chapter 51-15. A violation of this chapter is deemed a violation of chapter 51-15." *N.D. Cent. Code § 51-30-07.* [^stat-51-30-07-not-exclusive]: **N.D. Cent. Code § 51-30-07** — "The remedies, duties, prohibitions, and penalties of this chapter are not exclusive and are in addition to all other causes of action, remedies, and penalties under chapter 51-15, or otherwise provided by law." *N.D. Cent. Code § 51-30-07.* [^stat-51-15-09-private]: **N.D. Cent. Code § 51-15-09** — "Except as provided in section 51-15-02.3, this chapter does not bar any claim for relief by any person against any person who has acquired any moneys or property by means of any practice declared to be unlawful in this chapter. If the court finds the defendant knowingly committed the conduct, the court may order that the person commencing the action recover up to three times the actual damages proven and the court must order that the person commencing the action recover costs, disbursements, and actual reasonable attorney's fees incurred in the action." *N.D. Cent. Code § 51-15-09.* [^stat-51-15-07-injunction]: **N.D. Cent. Code § 51-15-07** — "Whenever it appears to the attorney general that a person has engaged in, or is engaging in, any practice declared to be unlawful by this chapter, or by other provisions of law, including chapter 50-22, 51-13, 51-14, 51-16.1, or 51-18, the attorney general may seek and obtain in an action in a district court an injunction prohibiting that person from continuing the unlawful practice or engaging in the unlawful practice or doing any act in furtherance of the unlawful practice after appropriate notice to that person." *N.D. Cent. Code § 51-15-07.* [^stat-51-15-11-penalty]: **N.D. Cent. Code § 51-15-11** — "The court may assess for the benefit of the state a civil penalty of not more than five thousand dollars for each violation of this chapter or for each violation of chapter 51-12, 51-13, 51-14, or 51-18." *N.D. Cent. Code § 51-15-11.* [^stat-51-15-12-limitations]: **N.D. Cent. Code § 51-15-12** — "Notwithstanding chapter 28-01, an action for relief under this chapter is barred if the claim is not commenced within four years after the claim for relief accrues. The period of limitation for a claim for relief may not be deemed to have accrued until the aggrieved party discovers the facts constituting the violation of this chapter." *N.D. Cent. Code § 51-15-12.*