N.D. Cent. Code § 54-59.1-03 (2025)
Until a cybersecurity incident is resolved, an entity shall disclose clarifying details regarding a cybersecurity incident to the department, including:
1. The number of potentially exposed records;
2. The type of records potentially exposed, including health insurance information, medical information, criminal justice information, regulated information, financial information, and personal information;
3. Efforts the entity is undertaking to mitigate and remediate the damage of the incident to the entity and other affected entities; and
4. The expected impact of the incident, including: a. The disruption of the entity services; b. The effect on customers and employees that experienced data or service losses;
c. The effect on entities receiving wide area network services from the department; and d. Other concerns that could potentially disrupt or degrade the confidentiality, integrity, or availability of information systems, data, or services that may affect the state.