The Overhaul of North Carolina’s Data-Breach Law: Take Two
Ellis & Winters
Around this time last year, we discussed a proposal by North Carolina Attorney General Josh Stein and Republican state representative Jason Saine to overhaul North Carolina’s data-breach law. That proposal didn’t get much traction: no bill was ever formally presented to the legislature for consideration.
On January 17, Attorney General Stein and Representative Saine announced a new proposal. This post explores the new proposal and its potential impacts for businesses that handle North Carolina residents’ personal information.
How we got here.
Attorney General Stein and Representative Saine introduced their new proposal because they believe too many North Carolinians—an estimated 1.9 million in 2018—have been affected by data breaches. Attorney General Stein issued an annual Data Breach Report with the new proposal that shows over 1,000 data breaches were reported to his office in 2018. The chief causes of those breaches? Hacking and phishing attacks.
According to their news release, after introducing the original proposal last year, Attorney General Stein and Representative Saine spent significant time working with groups including the AARP and the North Carolina business community on the proposed legislation.
That work led to three changes in the proposal that may be especially significant for businesses.
The original proposal would have required a business to notify individuals and the Attorney General’s office whenever personal information is subject to unauthorized access—even if the business believes there is no risk of harm to those individuals. The idea, apparently, was to empower the individuals and the Attorney General—instead of the business—to determine the risk of harm.
The new proposal appears to put the “risk of harm” determination back into the business’s hands. But there’s a catch: if the business decides there is no risk of harm and that notifying individuals is unnecessary, it must “document that determination for the Attorney General’s Office to review.” That approach mirrors similar provisions in data-breach laws adopted by several other states, including Alabama, Alaska, Florida, Iowa, Louisiana, Maryland, Missouri, Oregon, South Dakota, and Vermont.
Notify me ASAP.
Second, the new proposal would impose a 30-day deadline to notify individuals and the Attorney General’s office of a breach. That’s double the 15-day deadline in the original proposal. But it would still put North Carolina in a tie with Colorado and Florida as the states with the shortest explicit breach notification deadlines in the nation.
Third, the new proposal would require any business that suffers a data breach involving individuals’ social security numbers to offer those individuals two years of free credit monitoring. As we’ve noted before, breached companies often make these offers voluntarily. But under the new proposal North Carolina would join Connecticut, Delaware, and Massachusetts (starting April 11, 2019) as states that require companies to offer these types of services after certain kinds of breaches.
Still not fair.
Aside from these three changes, the new proposal retains the original’s expansion of the existing definition of personal information to include medical information and insurance account numbers. But it adds “genetic information” to that expanded definition.
The new proposal also keeps the original’s requirement that companies implement and maintain reasonable security procedures and practices to protect personal information from security breaches. And it carries forward the “clarification” that violations of that new duty constitute a per se violation of N.C. Gen. Stat. § 75-1.1. As we argued last year, this could be a pretty big deal.
Interestingly, however, the new proposal omits the original’s statement that “each person affected by the breach represents a separate and distinct violation” of section 75-1.1. It’s hard to tell whether that omission reflects a real change. It could mean that each incident, instead of each affected individual, will be counted as a 75-1.1 violation—an obvious positive for businesses. Or it could just mean that the law will be silent on this point, which would allow room for courts—and the Attorney General—to adopt the more aggressive interpretation.
We’re still waiting for text of the proposed bill to be introduced. When it is, these changes may turn out to be more—or less—significant than the new proposal would lead us to believe.
It’s worth noting, however, that Attorney General Stein has been especially focused on privacy and data security enforcement as of late. In the last two months alone, his office joined with other state attorneys general in a first-of-its-kind HIPAA-related data breach lawsuit against a breached electronic health record company in Indiana and participated in a multistate settlement with Nieman Marcus over its 2013 data breach.
If that trend continues, businesses should buckle up: we might well see some aspects of this new proposal become law in 2019.
Author: Alex Pearce