On April 16, 2019, Representatives Saine, Jones and Reives introduced House Bill 904, the long anticipated amendments to the North Carolina Identity Theft Protection Act, N.C. Gen. Stat. § 75-61 et seq.. We first wrote about the proposed legislation in February 2018 [Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities]. The bill also amends the definition of identifying information in North Carolina’s criminal identity theft statute, N.C. Gen. Stat. § 14-113.20(b), adopted by reference in the Identity Theft Protection Act’s definition of “personal information.”
HB904, which can be found here, looks a lot like we expected. Highlights include the following:
Note that a violation of the notice and security requirements of the law would still be a violation of the North Carolina Unfair and Deceptive Trade Practices Act (the “UFTPA”). In addition, a violation will still give an individual a private cause of action under the UFTPA if an “injury” occurs to the individual as a result of the violation. This is significant because the UFTPA provides for treble damages and attorney’s fees, in addition to compensatory damages.
We will continue to monitor HB904 and update our readers regarding further developments.