North Carolina Bill Aims to Strengthen Data Breach Protection Law

By Jenny L. Holmes © Nixon Peabody March 6, 2018
North Carolina Bill Aims to Strengthen Data Breach Protection Law

It's clear that data breaches are not going away anytime soon. North Carolina lawmakers are now taking action to improve the state's Identity Theft Protection Act (N.C. Gen. Stat. § 75-60, et. seq.). In a bipartisan move, North Carolina State Representative Jason Saine (R) and North Carolina Attorney General Josh Stein (D) joined forces to strengthen the current protections by co-authoring a bill titled, The Act to Strengthen Identity Theft Protections. Although a draft of the bill has not yet been released, Saine and Stein announced details of the bill in January and plan to introduce it to the North Carolina General Assembly in May.

While we can expect many changes, we know that the bill will include the following increased protections:

  • Ransomware. The bill would change the definition of "security breach" to include ransomware attacks. Currently, the law only applies to personally identifiable information ("PII") that is acquired, which is not the case in ransomware attacks. The bill also widens the scope of PII to include medical information and insurance account numbers. 
  • 15-Day Notification. The bill would change the timeframe in which covered entities must notify the North Carolina Attorney General and the affected individuals. The current law just requires notification without "unreasonable delay."
  • Affirmative Duty. The bill would require any entity that owns or licenses PII to implement and maintain reasonable security procedures and practices to protect the PII from breach. The bill states that entities who are victims of data breaches and did not maintain reasonable security practices and procedures will have committed a per se violation of the North Carolina Unfair and Deceptive Trade Practices Act (N.C. Gen. Stat. § 75-1.1, et. seq.). Each person affected by a data breach would constitute a separate violation. 
  • Credit Report Freezes. The bill would require consumer reporting agencies to create a process to add or lift credit reports for free at any time.
  • Control Over Credit Reports. Before using an individual's credit report or score, an entity would need the individual's permission and would have to disclose the reason for seeking the credit information. Likewise, the bill would give the consumer the right to request the information from a credit reporting agency maintained on him or her, its source and information about where the information was disclosed.

While the bill is still proposed, the bipartisan effort will likely give the bill the support it needs to become law. We encourage companies to carefully track this bill and to start auditing any privacy policies to determine necessary changes that will need to be made.

Jenny Holmes is an attorney with Nixon Peabody in Rochester, N.Y. © Nixon Peabody. All rights reserved. Reposted with permission. 


Job Finder

Find an HR Job Near You
Search Jobs


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.