[BreachExchange] North Carolina Amendments to Data Breach Law Finally Introduced

[Destry Winant]

https://www.jdsupra.com/legalnews/north-carolina-amendments-to-data-14102/

On April 16, 2019, Representatives Saine, Jones and Reives introduced
House Bill 904, the long anticipated amendments to the North Carolina
Identity Theft Protection Act, N.C. Gen. Stat. § 75-61 et seq.. We
first wrote about the proposed legislation in February 2018 [Two
Proposed Data Security Laws Reflect National Trend Toward Affirmative
Responsibilities]. The bill also amends the definition of identifying
information in North Carolina’s criminal identity theft statute, N.C.
Gen. Stat. § 14-113.20(b), adopted by reference in the Identity Theft
Protection Act’s definition of “personal information.”

HB904, which can be found here, looks a lot like we expected.
Highlights include the following:

- Requires businesses to implement reasonable security procedures and
practices. Following the trend among states, the bill imposes an
obligation on businesses that conduct business in North Carolina or
own or license personal information of North Carolina residents to
implement and maintain reasonable security procedures and practices to
protect personal information from unauthorized access, destruction,
use, modification or disclosure.

- Sets a time limit on breach notices after discovery or “reason to
believe” a breach has occurred. The bill also imposes a maximum 30 day
period (absent a law enforcement delay) in which to notify impacted
individuals and the North Carolina Attorney General of a data breach
after discovery of the breach or reason to believe that a breach has
occurred (the current law requires notice “without unreasonable delay”
and only after “discovery or notice of the breach”).

- Expands the definition of “personal information.” The bill sets
forth an expanded definition of “personal information” to include any
information regarding an individual’s medical history, condition,
treatment, diagnosis, or genetic information by a health care
professional, as well as health insurance information such as the
individual’s policy number and other unique identifier used by a
health insurer or payer to identify the individual.
-
Clarifies when certain other information is considered “personal
information” for purposes of the notice and security procedure
requirements. The bill clarifies that electronic identification
numbers and email names and addresses are not personal information
unless the data includes a required security code, access code, or
password that “would allow” access to a person’s financial account or
resources “or other personal information as defined in this section.”
(The access to “other personal information” is a major change from the
current law.) Passwords are not covered by the notice and security
requirements unless “the business is aware” that the information would
permit access to the person’s financial account, resources, or other
personal information defined in the Act. Although not perfectly clear,
it appears that under the proposed law, Internet identification names
and parent legal surname prior to marriage would no longer be
considered “personal information” under the Act for purposes of the
data breach notice, security and publication sections. (Internet
identification names and parent legal surnames are still covered under
the criminal identity theft statute.)

- Makes the unauthorized acquisition of or “access to” unencrypted or
unredacted personal information subject to the law. Currently, the law
defines security breach as an incident of “unauthorized access to and
acquisition of unencrypted and unredacted records or data containing
personal information” where illegal use has occurred or is reasonably
likely to occur or that creates a material risk of harm to a consumer.
As expected, the proposed bill makes access to such data alone
sufficient to constitute a date breach and trigger notice and other
requirements, provided the illegal use or risk of harm element is met.

- Requires businesses to retain any lack of harm determination for
three years. The proposed bill requires that a business that does not
provide a breach notice because of a determination that illegal use
has not occurred or is not reasonably likely to occur or that does not
create a material risk of harm to a consumer maintain that
determination for three years.

- Requires that CRAs experiencing a data breach and any covered
businesses that experience a data breach involving social security
numbers provide identity theft monitoring and mitigation services. A
consumer reporting agency will be required to offer identity theft
monitoring and mitigation services (such as credit monitoring) to
impacted “consumers” for 48 months at no cost to the consumer,
regardless of the type of “personal information” at issue in the
breach. Other businesses must offer such services (by contract with a
third party) for 24 months at no cost to a “person” if the business
knows or “has reason to know” that the breach involved the person’s
social security number.
Expands the information that a business can be required to provide to
the Attorney General in the event of a data breach. The bill states
that in addition to the information a business is already required to
provide to the Attorney General in the event of a data breach, the
Attorney General’s office also can require the business to provide a
description of the policies in place regarding breaches, the steps
taken to rectify the breach, a copy of any police report, a summary of
any incident report, and a summary of the consumer forensic report.
The bill states that this information would not be a public record,
although companies will still need to be careful about potentially
disclosing attorney client information, including forensics conducted
under the supervision of counsel.

- Compliance with HIPAA is deemed compliance with the data security
and breach notice sections of the law. The current law expressly
states that financial institutions in compliance with the Interagency
Guidelines are deemed in compliance with the “protection from security
breach” section of the Act. Under the proposed bill, persons or
agencies that are subject to and in compliance with HIPAA are also
deemed in compliance with the law.
Imposes additional requirements regarding credit checks and on credit
reporting agencies. The proposed bill contains numerous new
requirements with respect to credit checks and consumer reports
through a consumer reporting agency. The bill would expressly require
a consumer’s written, verbal or electronic consent before any “person”
could obtain, use or seek a consumer report or credit score on a
consumer, and consumers have the right to request from a CRA a list of
information maintain by a CRA on the consumer and each person or
entity to whom the information was disclosed.  The bill contains other
requirements on CRAs designed to make it easier on consumers to obtain
a security freeze, such as eliminating fees and providing a shared
website and toll-free number to request a freeze.

Note that a violation of the notice and security requirements of the
law would still be a violation of the North Carolina Unfair and
Deceptive Trade Practices Act (the “UFTPA”). In addition, a violation
will still give an individual a private cause of action under the
UFTPA if an “injury” occurs to the individual as a result of the
violation. This is significant because the UFTPA provides for treble
damages and attorney’s fees, in addition to compensatory damages.

We will continue to monitor HB904 and update our readers regarding
further developments.