The bill amends the Security Breach Notification Act in Oklahoma, updating several sections to enhance the definitions and requirements surrounding data breaches. Key modifications include a clearer definition of "breach of the security of a system," which now specifies that unauthorized access to unencrypted and unredacted data that compromises personal information is considered a breach. The bill also introduces new requirements for notifying the Attorney General about breaches, stipulating that notice must be provided within 60 days of informing affected residents. Additionally, it establishes exemptions for breaches affecting fewer than 500 residents and outlines the confidentiality of information submitted to the Attorney General.

Furthermore, the bill revises the enforcement mechanisms and penalties for violations of the act. It allows the Attorney General or district attorneys to enforce the act similarly to the Oklahoma Consumer Protection Act, with civil penalties for breaches not exceeding $150,000. The bill also provides a framework for reasonable safeguards that, if implemented, can serve as a defense against civil penalties. The act is set to take effect on January 1, 2026, ensuring that entities have time to comply with the new requirements.