Proposed Overhaul of North Carolina Security Breach Notification Law Would Make It One of the Toughest in the Nation

Client Alerts Privacy & Data Security

Yesterday, North Carolina state Representatives Jason Saine (R), Brenden H. Jones (R), Robert T. Reives II (D), and Pricey Harrison (D) introduced a much-anticipated bill overhauling North Carolina’s Identity Theft Protection Act. The bill, developed in close cooperation with Attorney General Josh Stein, would make North Carolina’s breach notification law one of the toughest in the nation. Organizations that do business in North Carolina, or that otherwise maintain or possess information regarding North Carolina residents, should pay close attention to the legislation—particularly in light of the Attorney General’s strong stance on privacy and data security and recent pattern of increased regulatory activity in the area. The bill’s primary focus is data security breach notification, but it would also create affirmative data-security obligations and impose additional obligations pertaining to consumer reporting agencies and consumer reports.

The proposed 30-day breach notification timeline would match the shortest industry-agnostic timeline in the nation for notice to individuals. The bill would replace the current “without unreasonable delay” standard for breach notification with a requirement that notice to individuals and regulators be made “as soon as practicable, but not later than thirty (30) days after discovery of the breach or reason to believe a breach has occurred.” The 30-day deadline would tie Florida and Colorado for the shortest industry-agnostic individual notice timeline in the nation. But the good news is that the 30-day timeline is less strict than the 15-day requirement originally proposed in a 2018 fact sheet. To meet this strict timeline, organizations will need thorough incident response procedures that account for immediate retention of counsel, digital forensic experts, and other vendors.

Additionally, if notice is delayed pending a law enforcement investigation, organizations would be required to notify within five days of receiving law enforcement’s “determination that notice will no longer impede the investigation or jeopardize national or homeland security.” Organizations are currently only required to notify “without unreasonable delay” after receiving such a determination.

Breached organizations would be required to offer at least two years of free credit monitoring to affected individuals after a security breach involving Social Security numbers. More specifically, the proposed legislation would require an organization that experiences a security breach that it “knows or has reason to know” involves Social Security numbers to “contract with a third party” to provide free credit monitoring services to each affected individual for at least 24 months. North Carolina would join Connecticut, Delaware, and Massachusetts as states requiring offers of free credit monitoring after certain types of security breaches. 

The “security breach” definition would be expanded to include mere access to personal information. Under current law, an incident is not a security breach unless there is “unauthorized access and acquisition” of personal information. The bill would change the definition to include any “unauthorized access or acquisition” of personal information. This change would increase the number of incidents that must be reported under North Carolina law.

The “personal information” definition would be expanded to include health insurance identifiers and information related to “medical history or condition.” The bill would add two categories to the definition of personal information: (1) “[h]ealth insurance policy number[s], subscriber identification number[s], or any other unique identifier[s] used by a health insurer or payer to identify [a] person,” and (2) “any information regarding the individual’s medical history or condition, medical treatment or diagnosis, or genetic information, by a health care professional.” The “medical history or condition” element would significantly expand the information protected by North Carolina law as it could arguably  extend to  information such as emails regarding sick leave or pictures of individuals indicating a medical condition. This change in the law would increase security breach notifications and require organizations to monitor significantly more information than the current law requires.

The proposed legislation expands opportunities for electronic notice and creates a HIPAA exception. The current law limits the use of electronic notice to affected individuals who have agreed to receive communications electronically. The bill would expand that provision to permit electronic notice to affected individuals for whom the organization has a valid email address and with whom it regularly conducts business electronically.

The proposal would also deem entities “subject to and in compliance with” HIPAA to be compliant with North Carolina’s notification law. Any organizations claiming the benefit of this exception that notify affected individuals or regulators of a security breach pursuant to HIPAA would still be required to notify the Consumer Protection Division of the Attorney General’s Office. Nevertheless, the addition of the HIPAA exception, as well the relaxation of the electronic notice provision, would be welcome changes to the current law.

Organizations would be required to document “risk of harm” determinations and retain them for three years. Similar to many other states, North Carolina’s law includes a “harm threshold” for breach notification. An organization is not required to notify where illegal use of personal information has not occurred, is not likely to occur, and where there is not a material risk of harm to consumers. But if passed, the bill would require organizations to document their determination that the harm threshold applies and retain that documentation for three years. This is a similar approach to the breach laws of other states, including Alabama, Alaska, Florida, Iowa, Louisiana, Maryland, Missouri, New Jersey, Oregon, South Dakota, and Vermont.

The bill provides guidelines regarding the Attorney General’s investigation of security breaches. The bill states that the Consumer Protection of the Attorney General’s office “may request” the following additional information after an organization notifies it of a breach: (1) “[a] description of the policies in place regarding breaches,” (2) “[s]teps taken to rectify the breach,” (3) “[a] copy of the police report, if applicable,” (4) “[a] summary of the incident report,” (5) [a] summary of the computer forensics report, if a forensic examination was undertaken,” and (6) copies of the notice to consumers and information about the notification method. This provision indicates that document requests will be a focus of future Consumer Protection Division investigations. Therefore, it is critical that organizations involve experienced outside counsel as soon as possible in the event of a potential security breach to help ensure legal privilege attaches to communications and other documentation generated in connection with the breach response process to the maximum extent possible. Organizations would also be well-advised to create incident response procedures or reevaluate their existing procedures, which may come under scrutiny in the event of a breach.

Organizations would have affirmative data security obligations—and be exposed to claims for treble damages and attorney’s fees for alleged violations. In addition to modifying the rules for breach notification, the bill would also impose a new affirmative duty on organizations to “[i]implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business.”

Perhaps one of the most important changes in the proposed legislation, this new requirement would create major legal exposure for organizations subject to the law. As drafted, the bill would treat any violation of this new requirement as a per se violation of North Carolina’s unfair or deceptive trade practices statute, which allows successful plaintiffs to recover treble damages and attorney’s fees. This new provision would almost certainly contribute to increased security breach litigation. There would also be significant pressure on defendants to settle claims because they would lose their ability to argue that the failure to maintain “reasonable security” is not an unfair or deceptive trade practice under North Carolina law. This provision could also lead to “unreasonable security” lawsuits arising from incidents that do not constitute a “security breach” under the statute.

The proposal would impose additional requirements regarding consumer reporting agencies and consumer reports. Several proposed provisions would create additional requirements for consumer reporting agencies regarding security freezes, credit monitoring offers for consumer-reporting-agency breaches, and individual rights regarding personal information held by consumer reporting agencies. The bill would also ban obtaining, using, or seeking a consumer report or credit score in connection with a credit application without a consumer’s consent.

Conclusion. This bill would result in a major overhaul to North Carolina’s security breach notification requirements, making the law one of the toughest in the country. Organizations conducting business in North Carolina should monitor the bill’s progress through the legislative process and update their data security and incident response programs accordingly.