A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response.  Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country.  The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. 

Specifically, the bill would include the following provisions:

  • The definition of a data breach would expressly include ransomware attacks, in which personal information has been accessed but not necessarily acquired.  This is in line with the interpretation advanced by the Office of Civil Rights of the Department of Health and Human Services on HIPAA-related ransomware incidents, but it would be the first state notification statute to explicitly include ransomware in the definition of a breach.  Inclusion of ransomware in the definition of a breach could substantially alter data security incident investigations and breach notifications.
  • The deadline for notification of consumers would be a mere 15 days after discovery of a data security incident.  This would be 15 days faster than the current earliest deadline for notifying data subjects and would pose significant logistical challenges for any company required to give notice.  If the North Carolina bill becomes law, the first question everyone should be asking in a data breach scenario is whether any North Carolina residents were impacted, as time will be at a premium.
  • If a breach happens at a credit reporting agency, that agency would be required to provide five years of free credit monitoring to affected consumers.  Although affecting a narrow industry, this could have significant ramifications for the future of credit monitoring.  The current standard practice is to offer consumers one year of free credit monitoring protection (although at least one state encourages two years).  There is no other statute or regulation that we are aware of that would even come close to requiring five years of protection.  Additionally, insurance policies that cover data breach response typically would not cover the costs associated with that many years of credit monitoring.

Although the bill has been proposed only in North Carolina, it could have far-reaching implications.  State legislatures have often followed the leads of other, more restrictive states in modifying their own data protection statutes.  With data privacy being a popular topic in the news and a significant concern for consumers, it would not be at all surprising if other states adopted the same model as North Carolina.  But even if North Carolina stands alone, it still has the prospect to radically change data breach response scenarios because the speed with which an investigation must be conducted to comply with North Carolina’s 15-day notice requirement would, as a practical matter, apply to all investigations to the extent North Carolina data subjects are at issue.

We will continue to follow the North Carolina bill with great interest.  We also will be watching for similar statutes to pop up in other states, so be sure to watch this space for further updates.