Oklahoma's New Data Breach Law: What Nonprofits Need to Know (and Do) in 2026

Not in Oklahoma? Your state probably has a similar law.

Note: I am not an attorney or an expert on data protection. However, as someone who has worked in the Oklahoma nonprofit sector since the late 1980s, I have seen the evolution of data usage across the years -- from paper files in file cabinets to secure systems in the cloud. As a software developer and application owner, I also understand the complicated nature of collecting and protecting data. All that to say, I kind of know what I’m talking about…but I’m not a data expert.

Beginning January 1, 2026, Oklahoma’s updated data breach law significantly changed how organizations—including nonprofits—must prepare for and respond to data breaches. Even though most nonprofits aren’t using vast amounts of data, most nonprofits are directly affected by this law, particularly those that accept online donations, manage client records, or maintain employee files. [For the nerds out there who want to look it up, here is a link to Senate Bill 626, with amendments made effective 01/01/2026].

You don’t need to be a data security guru, but, by understanding the law and it impacts your organization, you will not only reduce risk to your organization but increase the trust you have with donors, clients, and the community. All that helps you better fulfil your mission and vision.

Why This Law Matters for Nonprofits

Nonprofits often collect sensitive personal information (see definition below), often across multiple systems. Donor databases, case management platforms, HR files, volunteer records, and email systems probably have data that falls squarely under Oklahoma’s expanded definition of “personal information.”

Before you start planning your data security capital campaign, take comfort that the law does not require enterprise-level cybersecurity—but it does require nonprofits to act responsibly and intentionally. You are expected, however, to recognize current risks; such as log-on credentials theft, ransomware, and unauthorized access to cloud-based systems. 

Definition of “Personal Information”

Before this year, personal information was pretty much limited to social security numbers, driver’s license numbers, etc. With the new law, personal information data includes any unencrypted data that is: 

• An individual’s first name or first initial and their last name in combination with one or more of the following:

• Social Security number;

• Driver’s license number;

• Financial account information (bank account number, credit card number, etc.)

• Unique electronic identifier or routing code in combination with an access code or password;

• Unique biometric data that is used to identify a specific individual.

• 
  

For nonprofits, this means a breach of a donor CRM, payroll system, or even an email account could trigger legal obligations if sensitive data is exposed.

You Must Notify the People Affected

Part of the original law from 2021 requires that the organization notify individuals if there is reasonable belief that it was accessed and acquired by an unauthorized person. The nonprofit should make this notification as quickly as possible.

You Must Notify the Attorney General’s Office

One of the most significant changes is the introduction of mandatory state notification.

If a data breach affects 500 or more Oklahoma residents, nonprofits must notify the Oklahoma Attorney General within 60 days after affected individuals are notified. If the breach affects 1,000 or more individuals, credit reporting agencies must also be notified.

“Reasonable Safeguards” Are Expected

While you don’t have to invest millions in a cybersecurity system, your nonprofit does have to maintain reasonable safeguards to protect personal information. So, what is that?

For nonprofits, “reasonable” is relative to size and capacity. Examples include:

• Documented risk assessments (even brief, annual reviews)

• Role-based access to sensitive data

• Strong passwords and multi-factor authentication

• Staff training on phishing and data handling

• A written incident response plan

  
  

Having these items will demonstrate that you made a reasonable effort to protect data, even if a breach occurs. Not only is this the responsible way to operate, but could help you reduce or avoid civil penalties if something goes wrong. It also limits your actual damages and penalties to $75,000. 

Vendors Are a Major Risk Area

I can already hear executive directors saying, “Well, we use Donor Perfect, so the responsibility is on them!” Sorry -- that doesn’t get you off the hook.

No matter who your vendors are—donor platforms, payroll processors, IT providers, or case management systems, you are still responsible for your data that they are holding. 

Take a look at the vendor contracts to ensure they include data security obligations and prompt breach notification requirements. Just like having those safeguards mentioned above, having vendor contact information and escalation procedures ready before an incident occurs can save critical time and shows that you are diligent.

Okay, So What Do We Do Now?

This law elevates data protection to a governance issue, not just an IT concern. Executive directors and boards should ensure that:

• The organization knows what data it collects and where it is stored

• A breach response plan exists and is documented

• Staff know how to report suspected incidents

• Leadership understands notification thresholds and timelines

Most nonprofit boards review organizational policies, procedures, and board bylaws annually. This would be the perfect time to also review the data protection practices.

This is a Pretty Manageable Requirement

The good news is that Oklahoma’s updated breach law is practical and achievable for nonprofits. It does not mandate expensive technology or unrealistic controls. Instead, it rewards organizations that take reasonable, documented steps to protect the people they serve.

For nonprofits, compliance is not just about avoiding penalties—it’s about stewardship. Protecting donor trust, client confidentiality, and organizational credibility is central to mission-driven work.

Preparing now ensures that if a breach occurs, your nonprofit can respond calmly, transparently, and in compliance with the law.