Data breach law and regulation updates from Oklahoma, California and New York

Blog Post

State legislatures continue to tighten data breach notification requirements and enforce compliance with privacy and security rules. Below are recent notable developments from Oklahoma, California and New York.

Amendment to Oklahoma breach notification law

Oklahoma has amended its breach notification law. On May 28, S.B. 626, Reg Sess. (Okla. 2025), a bill amending Oklahoma's data breach notification statute, became law without the signature of the Governor. The law requires entities experiencing a data breach to notify the state Attorney General of the breach within 60 days after providing notice to impacted residents, with exemptions for breaches affecting fewer than 500 consumers. The new law takes effect on Jan. 1, 2026.

Proposed amendment to California breach notification law

The California State Assembly Judiciary Committee met July 8 to take up a bill that would amend the state law regarding data breaches to require disclosure to individuals affected within 30 calendar days of discovery or notification of the data breach. The bill already passed in the Senate, and on July 8, also passed in the Assembly unanimously. The bill has been referred to the Committee on Appropriations.

SB 446 would allow a business to delay breach notification in order to accommodate the legitimate needs of law enforcement or to determine the scope of the breach and restore the reasonable integrity of the data system. Under existing California law, if a security breach affects more than 500 residents, the individual or business must electronically submit a sample copy of the breach notification, excluding any personally identifiable information to the Attorney General. This bill would also require that submission to the attorney general be made within 15 calendar days of discovery or notification of a security breach affecting 500 or more California residents.

Proposed amendment to New York breach notification law for state and local agencies

The New York Senate voted on June 10 to advance S.B. 8169, Reg Sess., a bill that would amend the state's data breach notification law to require all state entities, including local governments, to notify affected individuals in the event of a data breach where information is merely compromised. The bill now heads to the Assembly where it has been assigned to the Governmental Operations Committee.

The bill would expand the definition of a breach to include the “unauthorized utilization of computerized data” that compromises the security, confidentiality, or integrity of PII. The bill provides certain factors to consider to determine whether an unauthorized utilization has occurred, to include the “indications that a cybersecurity incident” has occurred. A cybersecurity incident is “an  event  occurring  on  or  conducted  through  a computer network that actually or imminently jeopardizes the integrity, confidentiality, or  availability  of  computers, information or communications systems or networks, physical  or  virtual  infrastructure  controlled   by computers or information systems, or information resident thereon.”

This bill means state agencies that have discovered unauthorized access to the network that affects or imminently jeopardizes the integrity, confidentiality, or availability of PII will need to notify individuals, as opposed to discovering actual access or acquisition of PII by an unauthorized party.

Attorneys from McDonald Hopkins’ national data privacy and cybersecurity practice group will continue to monitor and report on recent data security and compliance developments.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.