Data privacy regulation tends to take one of two general approaches. In most of the world—but not in the United States—the approach is usually characterized as “omnibus.” Under an omnibus regime, privacy rights are defined at a high level of generality and all activities that affect those rights are subject to regulation. In the United States, the approach is “sectoral” rather than omnibus. As the name implies, under a sectoral regime, privacy rights and regulations depend upon the industry sector in which you are operating and the activities you are undertaking. For example, if you are a provider of hospital services or a business associate of a hospital service provider, you would be subject to HIPAA’s privacy rules regarding your patients’ protected health information.
However, even under the American sectoral approach, it is important to note that there are certain privacy laws that apply without regard to your industry sector (and in addition to sector specific laws like HIPAA). These include state-law data breach notification statutes, which are typically tied to the residency of the affected individuals. For example, if you were to experience a data breach that affected residents of North Carolina, South Carolina and Virginia, you would need to comply with those states’ respective data breach notification statutes.
North Carolina’s data breach notification law is called the North Carolina Identity Theft Protection Act (ITPA). The ITPA dates back to 2005 and was one of the earliest laws of its kind.
The ITPA requires businesses to protect the personally identifiable information (PII) of their customers and clients. Unauthorized disclosures or other failures to protect the PII of North Carolina residents in accordance with ITPA can result in liability under the state’s Unfair and Deceptive Trade Practices Act. Such liability could include treble damages and the obligation to pay the plaintiff’s attorneys’ fees. The North Carolina Attorney General is also empowered to enforce the ITPA.
Among other things, the ITPA requires that businesses:
- Protect social security numbers;
- Dispose of records in a manner that protects sensitive information;
- Institute policies to protect data, including employee training; and
- Notify affected individuals in the event of a data breach.
While the ITPA is substantially similar to other states’ data breach notification statutes, a series of high-profile breaches in 2017 prompted state lawmakers to propose the Act to Strengthen Identity Theft Practices (ASITP). If ASITP becomes law, North Carolina will have some of the most stringent data protection laws in the nation.
The impetus for ASITP originated from some alarming statistics contained in the Attorney General’s 2017 annual report. That report noted over a thousand data breaches affecting more than 5 million North Carolina residents, a doubling in hacking-based data breaches, a 3,500% increase in reported hacking incidents, and substantial increases in reported “phishing” scams.
Given these figures, ASITP’s sponsor, Rep. Jason Saine, has stressed the need to provide consumers with timely information and the tools to protect themselves in the wake of a data breach. To this end, ASITP would impose two new requirements.
First, ASITP would impose a specific breach notification timeframe. At present, ITPA’s only requirement is that notification be made without “unreasonable delay.” ASITP, however, would require notification within 15 days of discovery of the breach.
We believe that affected businesses will find compliance with this timeframe to be difficult. Discovery of the breach, which starts the clock, is only the first step in the breach response process. In order to provide a fully informed notification, the affected business will need to investigate the nature and extent of the incident. It should also consult with legal counsel regarding its obligations and potential exposure. It will have to retain experts and notification/remediation services (through counsel if possible, so as to protect legal privilege). Depending on available coverage, it may have insurer-related obligations as well.
Given the complex nature and large number of tasks to be undertaken in the wake of a breach, a 15-day notice period could prove to be a very tight window. It is particularly tight for businesses that have not adequately prepared for a breach. At a minimum, businesses should have anticipated the possibility of a data breach and drawn up contingency plans. Full incident response plans are even better. Ideally, those incident response plans would also have been periodically tested in so-called “table top” exercises and updated as necessary.
Second, ASITP specifies that a breached business that failed to maintain “reasonable security procedures” will be deemed to have violated the Unfair and Deceptive Trade Practices Act. Moreover, each person affected by the breach would constitute a separate and distinct violation of the Act. Note that “reasonable security procedures”, like beauty, are often in the eye of the beholder. This is another reason why data security policies and incident response plans, preferably prepared with the assistance of counsel (and potentially with the assistance of third-party data security consultants), should be designed and implemented before the business experiences a breach. Being able to point to adequate and up-to-date security policies and planning will help to show that the business maintained “reasonable security practices.”
ASITP would also broaden the definition of “security breach” to include unauthorized access to PII, as well as unauthorized acquisition of PII. This broadened definition would bring “ransomware” attacks within its scope. In a typical ransomware attack, the perpetrator does not acquire the target’s PII but rather accesses the target’s IT systems for purposes of encrypting the PII so that it can demand a ransom for the decryption key.
Given ASITP’s aggressive timetables and significant potential penalties, we recommend that businesses that collect and process PII regularly review their security practices and procedures in order to mitigate their legal and operational risk.
Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.