Tougher Data Breach Notification Laws in North Carolina Sought By State AG

With the increasing number of data breaches impacting North Carolina residents in 2017, state representative Jason Saine and state Attorney General Josh Stein introduced a new bill that sought to revise North Carolina’s data breach notification laws and improve protections for state residents.

The bill, called Act to Strengthen Identity Theft Protections, was introduced in January 2018 and recommended modifications to state laws that would likely make North Carolina breach notification laws some of the toughest in the United States. The bill’s January 2018 version recommended a broader definition of a breach, adjustments to the personal information definition, and set a 15 day maximum time limit from the discovery of a breach to send notification letters to breach victims.

Rep. Saine and Attorney General Stein reintroduced the bill on January 17, 2019 with some notable changes. The modified bill coincides with the release of the state’s security breach report for 2018. The report reveals that there were 1,057 data breaches that impacted 1.9 million state residents in 2018. Although 2018 had 63% fewer breach victims than 2017, there was a 3.4% year over year increase in the number of breaches.

The original revision to the definition of a data breach is used in the revised bill. A breach is defined as “any incident of unauthorized access to or acquiring somebody’s personal data that may harm the person,” which means breach notifications would also need to be issued in the event of a ransomware attack.

The revised bill additionally necessitates businesses that own or license personal data to implement reasonable security processes and practices, which should be matched to the nature of data gathered and managed. The personal information definition has also been broadened to include healthcare data, genetic details, and insurance account numbers.

The 2018 version of the bill required breach notifications to be sent within 15 days of discovering a breach, although the revised version has extended the time frame to 30 days.

Any business experiencing a data breach that is found not to have implemented appropriate security measures or did not issue breach notifications within 30-days of discovering a breach would be deemed to have violated the Unfair and Deceptive Trade Practices Act, and may face a civil monetary penalty.

If the bill is passed, state residents are going to be permitted to put a credit freeze on their credit reports at zero cost and credit agencies will need to set up a one-stop shop for freezing and unfreezing credit reports.

Companies based in or doing business in North Carolina will have to offer breach victims 2 years of complimentary credit monitoring services in case of a breach of Social Security numbers, and 4 years of complimentary credit monitoring services for breaches at credit agencies.

Any business that would like to gain access to or utilize a person’s credit report or credit score is going to be required to acquire consent from the individual ahead of the event and should explain why information access is necessary. State residents also have the right to request a consumer reporting agency to provide a listing of all data the agency keeps, which includes credit and non-credit related data, and a listing of the entities that have had access to the information.