BlogLine

Enhanced Privacy and Data Security Law on Tap for North Carolina

2/8/18

By: Paul H. Derrick
A bi-partisan privacy and data security bill will soon be rolled out in North Carolina, and its impact will be significant. North Carolina Attorney General Josh Stein and State Representative Jason Saine are co-authoring “The Act to Strengthen Identity Theft Protections.”  According to a recent press release and fact sheet, they plan to seek its introduction in the State’s General Assembly during the coming months.
The bill will bring dramatic changes to North Carolina’s existing Identity Theft Protection Act, particularly in two areas: (1) the imposition of an affirmative duty to implement and maintain data security procedures and practices; and (2) a 15-day breach notification window.  Companies that experience a data breach and have failed to maintain reasonable security practices will be deemed to have committed a per se violation of the North Carolina Unfair and Deceptive Trade Practices Act, and each person affected by the breach would constitute a separate and distinct violation of the law.  With provisions for treble damages and attorney’s fees, even for nominal violations, data breach litigation would quickly become much more lucrative for plaintiffs’ attorneys.
The proposed bill also would require companies to notify affected individuals and the Attorney General within 15 days following discovery or notification of a breach.  That is a substantial change from the current law’s requirement that notification be made “without unreasonable delay.”  Businesses will need to have a response plan already in place in the event a breach occurs, rather than waiting until the time arrives to develop a course of action.
Other provisions in the legislation update the definition of security breach to include ransomware attacks, broaden the definition of “personally identifiable information” to include medical information and insurance account numbers, allow consumers to freeze and unfreeze their credit without charge, and provide individuals with greater access to and control over their personal data.
Because it already has strong bi-partisan support, some version of the bill will almost surely be passed into law. North Carolina employers must not wait until that happens to begin preparing for it, however.  Businesses should audit their existing internal privacy and data security programs now and immediately develop meaningful and legally-compliant safeguards in any areas that are lacking.
Please contact Paul Derrick at pderrick@fmglaw.com or anyone in FMG’s Data Security, Privacy, & Technology practice group if you would like more information on developing and implementing privacy and data security programs. We also have extensive experience in guiding organizations through data breaches and representing clients in data breach litigation.