By Julie Bays, OBA Management Assistance Program Director

Last week, Oklahoma’s updated Security Breach Notification Act took effect (Title 24, §§ 161–166). I spent years in consumer protection believing our previous version did not put enough pressure on organizations to treat personal information like the high-value asset it is. The 2025 Legislature didn’t rewrite everything from scratch, but it made several practical changes that matter to businesses and that includes law firms.

The headline change is that the law now recognizes more modern forms of sensitive data. “Personal information” is no longer just a name plus a Social Security number or a bank account number. The updated definition reaches newer access pathways, including certain electronic identifiers and credentials that could be used to get into financial accounts, and it expressly includes biometric data (think fingerprints or retina/iris scans) when tied to an individual. If your firm collects client IDs, stores intake documents, scans driver’s licenses, or uses any system that stores financial access credentials, this is your reminder that a breach may trigger legal obligations faster than you expect.

Second, larger incidents can now become a conversation not only with affected individuals, but also with the State. Under the revised statute, certain breaches require notice to the Oklahoma Attorney General once the incident crosses a threshold (generally 500+ Oklahoma residents affected, with a different threshold for credit bureaus). The law further outlines the required contents of such notice, including the date of the breach, the determination date, the categories of personal information compromised, the number of affected Oklahoma residents, the estimated financial impact (if ascertainable), and the reasonable safeguards that were implemented.

Third, and this is the part I hope law firms don’t overlook: the statute now defines “reasonable safeguards,” and it ties safeguards to liability. In plain terms, Oklahoma is trying to move organizations from “we’ll deal with it if it happens” to “show your work.” The definition includes risk assessments, layered defenses, training, and having an incident response plan. That language should sound familiar to anyone who has lived through a phishing scare, a misplaced laptop, or a vendor security questionnaire.

If you want a practical way to respond (without turning your week into a cybersecurity boot camp), start here: confirm what systems store client personal information, make sure multi-factor authentication is turned on where it matters most, verify encryption on portable devices and cloud storage, and review vendor contracts for breach-notice duties. Then, make sure someone in your office can answer the “first 24 hours” questions if something happens: Who do we call, what do we shut down, what do we preserve, and who is responsible for client communications? Those basics are exactly what “reasonable safeguards” looks like in the real world.

Here is an article that has more information: Oklahoma’s Senate Bill 626: The New Standard for Data Breach Notification and Compliance Next week, I will provide an in-depth overview of data security principles. And as always, if you want to talk through a security incident response plan, vendor questions, or practical safeguards for a law firm environment, MAP consultations are available.