In April 2019, with the introduction of House Bill 904, a bi-partisan effort was made to strengthen cyber security in North Carolina. H.B. 904 seeks to make North Carolina's Identity Theft Protection Act one of the strongest in the nation by broadening the definition of what constitutes a data breach, what proactive steps companies and employers must take to prevent a breach of their customers or employees' personal information, and the penalties available to victims of data breaches, among other provisions. While H.B. 904 did not make it out of committee and failed to meet the cross-over deadline during the 2019-2020 legislative session, it is anticipated that it will eventually be passed and signed into law if significant federal data breach protections are not passed in the meantime. Therefore, the time for companies that do business in North Carolina, or that otherwise maintain North Carolinians' personal information, to begin preparing for these changes is now.
H.B. 904 changes what constitutes a breach of personal information. Currently, a breach occurs when a person or entity both accesses and acquires a North Carolinian's personal information, but H.B. 904 removes the requirement that the person or entity actually acquires the information. Under the bill, merely accessing the information is a breach.
H.B. 904 also expands what is considered “personal information” to include electronic identification numbers and email addresses related to a North Carolinian's financial records or certain “other personal information,” which under the bill would include HIPAA-protected information.
If passed, H.B. 904 will impose an affirmative duty on companies doing business in North Carolina, or who own or license North Carolinians' personal information, to implement and maintain reasonable security procedures and practices to protect that information. The failure to do so will constitute a per se violation of the North Carolina Unfair and Deceptive Trade Practices Act, N.C. Gen. Stat. § 75-1.1, et seq. and may subject a company to either a suit by the North Carolina Attorney General or a private plaintiff. This is significant because the NCUDTPA provides for the award of treble damages and attorney's fees, in addition to compensatory damages, for each violation, and each person affected by the breach is considered a separate violation. Therefore, litigation based on a company's failure to take reasonable proactive steps to prevent a breach could result in the award of significant economic damages.
If a breach does occur, the North Carolina Identify Theft Protection Act currently requires a company to notify impacted individuals and the North Carolina Attorney General without "reasonable delay." H.B. 904 changes that to a strict 30-day reporting deadline. Companies then will be required to provide two years of credit monitoring for each impacted North Carolinian if it is determined that their Social Security numbers were compromised. If the company is a credit reporting agency, it must offer identity theft monitoring and mitigation services for 48 months at no cost regardless of the type of information accessed.
Additionally, H.B. 904 empowers the North Carolina Attorney General to obtain information about a company’s procedures and practices to protect information, a description of the steps taken by a company to rectify a breach, and a summary of any computer forensics report created following a breach. Further, if a company investigates whether a breach occurred, it must retain a copy of the investigation report for three years. If requested by the Attorney General within that three-year period, the company must provide a copy of the report to the Attorney General's Office.
Because H.B. 904 will likely pass in the near future, it is imperative that all companies that maintain personal information of North Carolinians begin to prepare now for the eventual changes to the North Carolina Identity Theft Protection Act. Spilman will continue to monitor the status of H.B. 904 moving forward, and will provide updates when additional information becomes available.