On April 16, 2019, Representatives Saine, Jones and Reives introduced House Bill 904, the long anticipated amendments to the North Carolina Identity Theft Protection Act, N.C. Gen. Stat. § 75-61 et seq.. We first wrote about the proposed legislation in February 2018 [Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities]. The bill also amends the definition of identifying information in North Carolina’s criminal identity theft statute, N.C. Gen. Stat. § 14-113.20(b), adopted by reference in the Identity Theft Protection Act’s definition of “personal information.”
HB904, which can be found here, looks a lot like we expected. Highlights include the following:
- Requires businesses to implement reasonable security procedures and practices. Following the trend among states, the bill imposes an obligation on businesses that conduct business in North Carolina or own or license personal information of North Carolina residents to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure.
- Sets a time limit on breach notices after discovery or “reason to believe” a breach has occurred. The bill also imposes a maximum 30 day period (absent a law enforcement delay) in which to notify impacted individuals and the North Carolina Attorney General of a data breach after discovery of the breach or reason to believe that a breach has occurred (the current law requires notice “without unreasonable delay” and only after “discovery or notice of the breach”).
- Expands the definition of “personal information.” The bill sets forth an expanded definition of “personal information” to include any information regarding an individual’s medical history, condition, treatment, diagnosis, or genetic information by a health care professional, as well as health insurance information such as the individual’s policy number and other unique identifier used by a health insurer or payer to identify the individual.
- Clarifies when certain other information is considered “personal information” for purposes of the notice and security procedure requirements. The bill clarifies that electronic identification numbers and email names and addresses are not personal information unless the data includes a required security code, access code, or password that “would allow” access to a person’s financial account or resources “or other personal information as defined in this section.” (The access to “other personal information” is a major change from the current law.) Passwords are not covered by the notice and security requirements unless “the business is aware” that the information would permit access to the person’s financial account, resources, or other personal information defined in the Act. Although not perfectly clear, it appears that under the proposed law, Internet identification names and parent legal surname prior to marriage would no longer be considered “personal information” under the Act for purposes of the data breach notice, security and publication sections. (Internet identification names and parent legal surnames are still covered under the criminal identity theft statute.)
- Makes the unauthorized acquisition of or “access to” unencrypted or unredacted personal information subject to the law. Currently, the law defines security breach as an incident of “unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information” where illegal use has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. As expected, the proposed bill makes access to such data alone sufficient to constitute a date breach and trigger notice and other requirements, provided the illegal use or risk of harm element is met.
- Requires businesses to retain any lack of harm determination for three years. The proposed bill requires that a business that does not provide a breach notice because of a determination that illegal use has not occurred or is not reasonably likely to occur or that does not create a material risk of harm to a consumer maintain that determination for three years.
- Requires that CRAs experiencing a data breach and any covered businesses that experience a data breach involving social security numbers provide identity theft monitoring and mitigation services. A consumer reporting agency will be required to offer identity theft monitoring and mitigation services (such as credit monitoring) to impacted “consumers” for 48 months at no cost to the consumer, regardless of the type of “personal information” at issue in the breach. Other businesses must offer such services (by contract with a third party) for 24 months at no cost to a “person” if the business knows or “has reason to know” that the breach involved the person’s social security number.
- Expands the information that a business can be required to provide to the Attorney General in the event of a data breach. The bill states that in addition to the information a business is already required to provide to the Attorney General in the event of a data breach, the Attorney General’s office also can require the business to provide a description of the policies in place regarding breaches, the steps taken to rectify the breach, a copy of any police report, a summary of any incident report, and a summary of the consumer forensic report. The bill states that this information would not be a public record, although companies will still need to be careful about potentially disclosing attorney client information, including forensics conducted under the supervision of counsel.
- Compliance with HIPAA is deemed compliance with the data security and breach notice sections of the law. The current law expressly states that financial institutions in compliance with the Interagency Guidelines are deemed in compliance with the “protection from security breach” section of the Act. Under the proposed bill, persons or agencies that are subject to and in compliance with HIPAA are also deemed in compliance with the law.
- Imposes additional requirements regarding credit checks and on credit reporting agencies. The proposed bill contains numerous new requirements with respect to credit checks and consumer reports through a consumer reporting agency. The bill would expressly require a consumer’s written, verbal or electronic consent before any “person” could obtain, use or seek a consumer report or credit score on a consumer, and consumers have the right to request from a CRA a list of information maintain by a CRA on the consumer and each person or entity to whom the information was disclosed. The bill contains other requirements on CRAs designed to make it easier on consumers to obtain a security freeze, such as eliminating fees and providing a shared website and toll-free number to request a freeze.
Note that a violation of the notice and security requirements of the law would still be a violation of the North Carolina Unfair and Deceptive Trade Practices Act (the “UFTPA”). In addition, a violation will still give an individual a private cause of action under the UFTPA if an “injury” occurs to the individual as a result of the violation. This is significant because the UFTPA provides for treble damages and attorney’s fees, in addition to compensatory damages.
We will continue to monitor HB904 and update our readers regarding further developments.