North Dakota Cybersecurity Laws You Should Know (2025)
North Dakota has become increasingly proactive in addressing cybersecurity, recognizing the growing risks to its vital industries, from energy and agriculture to finance and healthcare. Businesses operating in the state must comply with both state and federal cybersecurity laws to protect sensitive information, prevent breaches, and maintain compliance. Below, we outline the most important cybersecurity laws that apply to North Dakota businesses in 2025.
North Dakota Cybersecurity Laws
North Dakota Data Breach Notification Law (N.D. Cent. Code § 51-30-01–07)
If a breach affects more than 250 residents, businesses must also notify the North Dakota Attorney General. The notification must include the type of personal data compromised and the measures being taken to prevent future incidents.
Failure to comply may result in civil penalties and enforcement actions under North Dakota’s consumer protection laws.
North Dakota Consumer Fraud Act (N.D. Cent. Code § 51-15-01 et seq.)
The Consumer Fraud Act prohibits deceptive or misleading practices, including false claims about data security. Businesses that fail to safeguard consumer information or misrepresent their cybersecurity measures can face enforcement by the Attorney General’s Office.
North Dakota Computer Crimes Law (N.D. Cent. Code § 12.1-06.1-01 et seq.)
This law criminalizes unauthorized access to computer systems, data tampering, and identity theft. Penalties vary depending on the offense, but serious cybercrimes such as hacking or data theft are treated as felonies.
North Dakota Uniform Electronic Transactions Act (N.D. Cent. Code § 9-16-01 et seq.)
The Uniform Electronic Transactions Act ensures electronic records and signatures are legally valid in North Dakota. Businesses must maintain the confidentiality and integrity of electronic documents and implement secure authentication procedures.
North Dakota Information Technology Department (ITD) Cybersecurity Standards
The ITD Cybersecurity Standards apply to state agencies but serve as a strong example for private companies. They require regular risk assessments, employee security training, multi-factor authentication, and incident response planning. Businesses in the private sector are encouraged to follow these same best practices.
Federal and Industry-Specific Cybersecurity Regulations That Affect North Dakota Businesses
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS applies to North Dakota businesses that handle credit card payments. It mandates data encryption, access restrictions, and regular security testing to prevent payment fraud.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA applies to North Dakota healthcare providers and business associates handling personal health information (PHI). It enforces strict data privacy, access control, and breach reporting requirements.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions in North Dakota must comply with GLBA, which requires written information security programs, employee training, and consumer privacy disclosures.
General Data Protection Regulation (GDPR)
GDPR applies to North Dakota businesses that collect or process personal data from EU residents. It mandates explicit consent and gives individuals control over their personal data.
Cybersecurity Requirements for Financial Services Companies (NYDFS 23 NYCRR 500)
NIST Cybersecurity Framework
The NIST Cybersecurity Framework is widely used across North Dakota’s energy, manufacturing, and agricultural sectors. It offers a comprehensive structure for identifying, protecting, detecting, responding to, and recovering from cyber incidents.
Federal Trade Commission (FTC) Act
Under the FTC Act, North Dakota businesses must maintain reasonable data protection measures. The FTC enforces penalties against organizations that fail to secure data or misrepresent their cybersecurity efforts.
Children’s Online Privacy Protection Act (COPPA)
If your North Dakota business collects personal information from children under 13, COPPA applies. It requires verified parental consent and limits how such data may be used or shared.
Sarbanes-Oxley Act (SOX)
Family Educational Rights and Privacy Act (FERPA)
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
CIRCIA requires critical infrastructure organizations, including energy, utility, and communications companies in North Dakota. to report major cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
CAN-SPAM Act
The CAN-SPAM Act regulates commercial email practices. North Dakota businesses must include accurate sender information, truthful subject lines, and clear unsubscribe options in all marketing emails.
Defense Federal Acquisition Regulation Supplement (DFARS)
North Dakota defense contractors must comply with DFARS cybersecurity requirements aligned with NIST SP 800-171, which protect controlled unclassified information.
Section 5 of the FTC Act (Unfair or Deceptive Practices)
Section 5 prohibits unfair or deceptive data security practices, holding North Dakota businesses accountable for protecting customer data and avoiding false claims about cybersecurity practices.
More North Dakota Cybersecurity Laws to Be Aware Of
North Dakota has taken major steps toward improving cybersecurity statewide. The North Dakota Information Technology Department (ITD) oversees cybersecurity initiatives, including North Dakota Cyber Operations Center (NDCOC) one of the first statewide centers of its kind in the U.S.
The NDCOC works with federal agencies, local governments, and private-sector organizations to monitor threats, share intelligence, and coordinate cyber incident responses. Businesses are encouraged to engage with NDCOC resources and participate in training and information-sharing programs.
Conclusion
Compliance with North Dakota cybersecurity laws is essential for protecting sensitive data, maintaining customer confidence, and avoiding costly penalties. By following the North Dakota Data Breach Notification Law and adopting best practices aligned with the NIST Cybersecurity Framework, businesses can stay ahead of emerging threats.
If your organization needs support maintaining cybersecurity compliance in North Dakota, we offer end-to-end solutions to protect your business and keep you compliant with all applicable laws.
Frequently Asked Questions About North Dakota Cybersecurity Laws
- What is North Dakota’s main cybersecurity law?
The North Dakota Data Breach Notification Law (N.D. Cent. Code § 51-30-01) is the state’s primary cybersecurity statute, requiring notification of affected individuals within 45 days. - Who enforces cybersecurity laws in North Dakota?
The North Dakota Attorney General’s Office enforces breach notification and consumer protection laws. - Does North Dakota require specific cybersecurity standards?
No specific standard is required, but following NIST or ISO 27001 frameworks demonstrates reasonable data protection practices. - What happens if a business fails to report a breach?
Failure to notify affected individuals or the Attorney General may result in civil penalties and enforcement under the Consumer Fraud Act. - What industries are most affected by cybersecurity laws in North Dakota?
Energy, agriculture, healthcare, and finance sectors face stricter oversight due to federal regulations like HIPAA, GLBA, and DFARS.
Read More Cybersecurity Laws by State:
Florida Cybersecurity Laws You Should Know (2025)
Ohio Cybersecurity Laws You Should Know (2025)
Virginia Cybersecurity Laws You Should Know (2025)
North Carolina Cybersecurity Laws You Should Know (2025)
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.
