As we continue to see substantial changes in the area of cybersecurity law across the United States as well as globally, North Carolina has undertaken preliminary steps to expand on its current laws within the state. On April 16, 2019, the North Carolina House of Representatives introduced a bipartisan bill to amend North Carolina’s Identity Theft Protection Act. The bill passed its first reading and was referred to committee.
The proposed bill contains numerous changes that will affect how cybersecurity is handled in North Carolina. For example, if passed, the bill would expand the definition of a security breach. Currently, a security breach involves the unauthorized access and acquisition of unencrypted personal information. However, the proposed bill would change this definition to the unauthorized access or acquisition of unencrypted personal information.
Why is this important?
This would likely result in significantly more events that meet the criteria that would trigger a breach notification response. Additionally, under the amended act, if a business makes a determination that illegal use has not occurred, or is not reasonably likely to occur, the business would also need to maintain records of such determination for at least three years.
The proposed bill would also modify how consumer reporting agencies must handle consumers’ requests to place a security freeze on a consumer file. The consumer will have the option to implement the freeze across all consumer reporting agencies as opposed to only the consumer reporting agency that directly received the request. Unless otherwise authorized, the provision allowing a consumer reporting agency to charge a fee for such requests is also removed.
There are also proposed changes to what a business will be required to do to protect against security breaches. For example, the proposed bill would require qualifying businesses to implement and maintain reasonable security procedures and practices, provide notice to all persons affected by a security breach as soon as practicable, but not later than 30 days after discovery of the breach or reason to believe a breach has occurred, and provide notice to the Consumer Protection Division of the attorney general’s office that there has been a security breach as soon as practicable, but not later than 30 days after discovery of the breach or reason to believe a breach has occurred.
The proposed bill would also expand on the definition of identifying information under G.S. Section 14-113.20. The amended definition would now include health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer or payer to identity the person, as well as any information regarding an individual’s medical history or condition, medical treatment or diagnoses, or genetic information, by a health care professional. This is notable as it is this section that establishes identity theft as a felony.
By no means is this an exhaustive list of the changes that the proposed bill would have on the Identity Theft Protection Act in North Carolina. However, these examples do show that North Carolina, similar to many other jurisdictions, understands the continuously evolving risks associated with cybersecurity. While this is currently proposed legislation, prudent business owners should understand the direction the state might be moving when it comes to handling issues related to cybersecurity. Goldberg Segalla will continue to monitor developments in this area and will provide periodic updates as changes occur.