N.D. Cent. Code § 26.1-02.2-08 (2025)
1. The following exceptions apply to this chapter: a. A licensee with less than five million dollars in gross revenue or less than ten million dollars in year-end assets is exempt from subsections 2 through 10 of section 26.1-02.2-03. b. A licensee that is subject to, governed by, and compliant with the privacy, security, and breach notification rules issued by the United States department of health and human services, title 45, Code of Federal Regulations, parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 [Pub. L. 104-191], and the federal Health Information Technology for Economic and Clinical Health Act [Pub. L. 111-5], and which maintains nonpublic information concerning a consumer in the same manner as protected health information is deemed to comply with the requirements of section 26.1-02.2-03. c. An employee, agent, representative, or designee of a licensee, that also is a licensee, is exempt from section 26.1-02.2-03 and is not required to develop an information security program to the extent the employee, agent, representative, or designee is covered by the information security program of the other licensee.
2. If a licensee ceases to qualify for an exception, the licensee has one hundred eighty days to comply with this chapter.