The Proposed Overhaul of North Carolina’s Data-Breach Law Could Have Big-Time Consequences
Ellis & Winters
One might expect N.C. Gen. Stat. § 75-1.1 to play a big role in data-breach litigation. The statute, after all, offers the prospect of treble damages and attorney fees.
But, historically, it hasn’t. Only three decisions—from federal courts in 2009, 2014, and 2017—appear even to have considered 75-1.1 claims in the context of a data breach.
That all could change. Last week, North Carolina Attorney General Josh Stein and Republican state representative Jason Saine announced a plan to overhaul North Carolina’s data-breach law.
We’re still waiting to see the bill, but the announcement included a Fact Sheet with the proposed legislation’s key elements. Two of those elements caught my attention.
First, the bill would meaningfully change the notification obligations imposed by North Carolina’s Identity Theft Protection Act, N.C. Gen. Stat. § 75-60 et seq., on businesses that suffer a security breach:
- The definition of “security breaches” for which notification is required would now include incidents of mere “access” to information—such as ransomware attacks like the one recently suffered by Mecklenburg County—regardless of whether they pose a material risk of harm to a consumer.
- Businesses would be held to a strict 15-day deadline for notifying consumers and the Attorney General about a security breach.
Second, the bill would require businesses to implement and maintain reasonable security measures to protect individuals’ personal information against a security breach. The Fact Sheet doesn’t define those measures, other than to say that they must be “appropriate to the nature of personal information.” Fifteen other states have passed similar laws.
Here’s where section 75-1.1 comes into the picture: the proposed legislation would make any violation of this new affirmative data-security duty a per se violation of section 75-1.1. As I’ll discuss below, this could be a pretty big deal for data-breach litigants.
The Current and Limited Options for 75-1.1 Claims on Data Breaches
Not many data-breach plaintiffs bring 75-1.1 claims, and for good reason. Leaving aside the failure to notify consumers of a security breach (which under section 75-65(i) is an automatic 75-1.1 violation), there’s no obvious way to bring the failure to prevent a breach within section 75-1.1’s ambit.
At first blush, a deception theory might seem like a viable option. A plaintiff could allege that the business represented that it employed safeguards to protect the plaintiff’s personal information, but that those representations were misleading, because the safeguards were insufficient. A deception-based claim, however, would require actual and reasonable reliance on those security-related representations. This would be no small task given the growing body of 75-1.1 case law striking down deception-based 75-1.1 claims on the pleadings for failing to meet that threshold.
A direct-unfairness theory likely wouldn’t fare any better. A plaintiff could allege that a business’s failure to protect personal information is by itself a “unfair” practice, but courts have struggled to decide whether particular conduct is unfair enough to violate section 75-1.1. And although the theory finds some support in the data-security “common law” developed by the Federal Trade Commission, no court appears ever to have held that failing to protect personal information is unfair under section 75-1.1.
Deficient Data Security as Per Se 75-1.1 Violation?
The proposed legislation would give plaintiffs a third—and much easier—way to make out a 75-1.1 claim: a per se theory. According to the Fact Sheet, “[a] business that suffers a breach and failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act.”
The proposed legislation would therefore allow data-breach plaintiffs to bypass the difficult question of whether a business’s data security practices can give rise to 75-1.1 liability. The inquiry would instead be whether the business’s security procedures were reasonable and “appropriate to the nature of the information” it held. And that inquiry—which could require a fact-intensive consideration of the business’s security procedures and the nature of the security breach—would often not be susceptible to a motion to dismiss under Rule 12.
The availability of a per se 75-1.1 claim could thus give data-breach plaintiffs a substantial strategic advantage. Defendants might often be forced to confront, from the outset, the prospect that a fact-finder will determine that their information-security programs failed to satisfy the amorphous “reasonable security” standard. And if the price of losing that battle is a treble damages award under section 75-1.1, many businesses would face increased pressure to settle early.
Troubled Waters Ahead for Data-Breach Defendants?
Without the bill text, it’s hard to say whether the proposed overhaul will lead to more data-breach lawsuits under section 75-1.1. Various factors could avoid or limit that result.
First, even if the proposed data-security requirement is adopted and violations are declared per se violative of 75-1.1, the General Assembly might nonetheless preclude a private right of action to enforce that 75-1.1 violation. Other states with similar data-security statutes—such as Arkansas, Florida, and Massachusetts—have followed this approach. Those states have limited enforcement to the state’s attorney general.
Second, the General Assembly could allow a private right of action, but preclude or limit the availability of treble damages. This approach has precedent: North Carolina’s records disposal law, section 75-64, requires businesses to take “reasonable measures” to protect personal information “in connection with or after its disposal.” The statute makes a violation of that requirement a per se violation of section 75-1.1, but it also prohibits the trebling of damages where the violation was caused by the business’s “nonmanagerial employees . . . unless the business was negligent in the training, supervision or monitoring of those employees.”
Finally, data-breach defendants will still have other defenses, including and especially those based on lack of injury-in-fact sufficient to establish standing and/or to state a claim. As we’ve discussed before, these “lack of injury” defenses can present a substantial hurdle for data-breach plaintiffs.
But if the reward for clearing that hurdle is automatic treble damages, plus the chance to get attorney fees, more plaintiffs might attempt the leap.