Important Update: North Carolina Data Breach Laws

What are the Proposed Changes to NC’s Data Breach Laws?

North Carolina’s lawmakers will consider legislation first introduced by the Attorney General Josh Stein and Representative Jason Saine. The proposed law would redefine the term “data breach” and give companies 30 days to report breaches to consumers.

For healthcare providers, this reduces the HIPAA timeframe, which states that breach notifications must go out within 60 days. According to the proposal, this gives consumers additional time to freeze their credit and take steps to prevent identity theft.

The law extends the definition of a breach to include ransomware attacks – a big change for healthcare providers, who have been targeted by recent hackers.

How Do the Proposed Changes Give Consumers Greater Control?

Consumers gain a number of protections, including the following.

• Quicker notification. Receiving notification within 30 days, instead of 60, gives consumers a heads up so that they can take action to protect their credit and identity.
• Credit freeze. Consumers can place a temporary freeze on their credit reports to prevent hackers and thieves from opening unauthorized credit cards in their name.
• Credit monitoring. If a credit reporting company, such as Equifax, is breached, they have to provide four years of free credit reporting to impacted consumers. Other organizations that are breached have to provide two years of free credit reporting.
• Clarifies penalties. Businesses that fail to report breaches within 30 days will be in violation of the Unfair and Deceptive Trade Practices Act.

What Does This Mean for Consumers?

The bill expands consumers’ right to information about the breached data, as follows.

• Consent. A company seeking access to a person’s credit information would need that person to express their permission. The reason for the request has to be provided in writing.
• Right to request information. North Carolinians can ask the consumer reporting agency to give them a list of credit-related and non-credit information, its source, and the entity or person that received it.

Why is the State Considering the New Rules?

North Carolina hosts the headquarters of many credit card companies and financial institutions and the legislation follows a dramatic rise in breaches throughout the state. According to Health IT Security, 1.9 million North Carolina residents were compromised in 1,047 breaches in 2018. This was a 3.4 percent increase over 2017.

This is the second attempt to tighten privacy laws in the state. If this bill passes, North Carolina would join several other states that have passed similar laws to combat digital thieves. For example, Colorado passed legislation to shorten their breach notification to 30 days in 2017, and Iowa is proposing a 45-day deadline to notify consumers.

Is This Just Happening in North Carolina?

On the national front, lobbyists and some Congress members are also calling for more protection for consumers whose data has been compromised. For instance, the Information Technology and Innovation Fund has suggested scrapping the hodge-podge of privacy regulations, such as HIPAA, in favor of more unified federal privacy laws.