In a post-Equifax environment, state-level data security regulation is on the rise. And in many instances, state regulatory regimes are getting tougher.

The most recent state to step up is North Carolina, which could quickly rival New York in imposing the strictest data security regulations in the country.

The North Carolina bill—called “The Act to Strengthen Identity Theft Protections”—would penalize businesses that suffer breaches if they failed to maintain reasonable data security procedures and practices, as well as require rapid notification to affected consumers. It will also expand the definition of breaches to include ransomware attacks.

The proposed bill seeks to impose an affirmative duty on businesses to maintain reasonable security procedures and practices to protect personal information from a breach. A business that disregards that duty opens itself up to potential liability under North Carolina’s Unfair and Deceptive Trade Practices Act, which provides for treble damages and attorneys’ fees. Under the proposal, each person affected by the breach would constitute a separate violation of the law.

This provision underscores the importance for companies to develop holistic, enterprise-wide data security programs aimed at the particular data security risks they face.

Also of note, the bill requires businesses that suffer a breach to notify affected consumers within 15 days, which is much stricter than many current state laws that require notification “as soon as practicable” or “without reasonable delay.” It also expands the definition of data breach to include unauthorized access to personal information so that ransomware attacks are covered by the definition. The current North Carolina statute only requires that the personal information be acquired—not merely accessed.

North Carolina Attorney General Josh Stein unveiled the proposed legislation earlier this month through a press release and a fact sheet. According to the press release, an estimated 5.3 million North Carolinians were affected by data breaches in 2017. Stein, a Democrat, has partnered with State Representative Jason Saine, a Republican, to co-author the bill.

The fact sheet contains highlights of the proposed legislation (a draft of the bill is not yet available), which will presumably amend North Carolina’s Identity Theft Protection Act. Other proposals contained in the bill include:

  • Expanding the definition of protected personal information to include medical information and insurance account numbers;

  • Requiring the following in the event of a breach:

    • free credit freezes for affected consumers,

    • free credit reports for affected consumers,

    • free credit monitoring for affected consumers, if the security breach occurs at a consumer reporting agency, such as Equifax;

  • Requiring companies to obtain consent from consumers before using their credit reports and to disclose the reasons for seeking the credit reports; and

  • Granting consumer the right to request certain information from consumer reporting agencies.

If this bill becomes law, North Carolina would have one of the strictest data security laws in the country. We will continue to monitor the progress of the bill and provide updates as warranted.