As Congress continues to wrestle with federal privacy legislation, the states have been lining up alternative proposals. North Carolina has introduced its own bipartisan bill. The bill, H.B 904, will not pass this year. Even so, analysis of its provisions reveal some key changes that are likely to affect current practices. The top ten are:
First, businesses that handle personally identifiable information (PII) will be under a statutory duty to have reasonable security procedures in place to guard against a protection breach. All companies should document their security processes and evaluate them against the “reasonableness” benchmark.
Second, failure to maintain reasonable security procedures that results in a breach will violate the North Carolina Unfair and Deceptive Trade Practices Act, N.C. Gen. Stat. § 75-1.1, et seq. With treble damages and statutory fees, breach cases will attract the attention of the class action bar.
Third, companies that suffer a breach will have to notify the Attorney General’s officer within 30 days of discovery. Current law mandates only that this notification be made without unreasonable delay.
Fourth, all persons affected by the breach must be notified “as soon as practicable.” This notification must be sent within 30 days of discovery. Given the need for preliminary investigation and lining up assistance logistics, this is a tight time frame. However, the business may provide notification by email if it regularly communicates with the affected persons electronically.
Fifth, in the event of a breach, the business must provide the Consumer Protection Division of the Attorney General’s office with certain materials. These include security procedures, remedial steps, incident summaries, and forensics. These reporting obligations are more stringent than those currently required.
Sixth, the definition of breach has changed. Current law defines a breach as the “acquisition” of PII. Under the proposed legislation, mere “access” to PII, for example in a ransomware incident, would constitute a breach. So unauthorized access to data, whether or not it was appropriated, will constitute a breach.
Seventh, the definition of “personal information” has been amended. “Internet account numbers” would not be considered PII. On the other hand, virtually any health information, including policy numbers, subscriber identification, medical history, treatment, diagnosis, or genetic information would be PII. In practical terms, any HIPAA breach would also be a PII breach reportable to the North Carolina Attorney General’s office.
Eighth, a company can determine that a security breach has not occurred if the exposed PII has not been used illegally, is unlikely to be used illegally, or if no material risk of harm is created. Such a determination must be documented. The documentation must be maintained and available for inspection for a minimum of three years.
Ninth, consumer reporting agencies must maintain a “one stop shop” to enable credit freezes. Unless specifically authorized, no fee may be charged for this service.
Finally, the legislation mandates that a business affected by a security breach offer credit monitoring service at no cost to the affected individuals. The length of mandatory reporting varies from two to four years depending on the business and type of breach.
H.D. 904 is unlikely to be on the statute books soon. That said, absent national privacy legislation, companies and employers should begin planning for its enactment. At a minimum, they should consult with counsel to identify gaps in their current processes. An ounce of prevention is worth a ton of cure in data security. Or, like with all predators, if one waits till one appears, it is already too late.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.