Skip to main content

Nixon Peabody LLP

Article

Proposed North Carolina legislation intends to expand regulation of data breaches and strengthen consumer data protection

Jan 29, 2019

By Valerie Montague

North Carolina Attorney General also releases report of 2018 data breaches.

On January 17, 2019, North Carolina Attorney General Josh Stein and North Carolina Representative Jason Saine announced proposed legislation intended to strengthen the state’s data protection laws.

The existing North Carolina Identity Theft Protection Act (ITPA) is similar to data breach laws in other states, and requires businesses to protect the sensitive information (e.g., social security numbers) of state residents. Businesses must implement policies governing the secure destruction of personal information and train employees accordingly. In the event of a data breach, the ITPA requires notification to impacted individuals without unreasonable delay.

In 2018, Attorney General Stein and Representative Saine introduced legislation to strengthen the ITPA, expanding the definition of a data breach to include a ransomware attack and requiring incident notification within fifteen (15) days. This legislation was not enacted. The 2019 version reflects certain modifications to last year’s proposal. In particular, the new proposed legislation gives entities up to thirty (30) days to report a data breach to those impacted North Carolina residents and the North Carolina Attorney General.

According to a fact sheet, the proposed legislation goes beyond most breach reporting laws by requiring entities that determine an incident did not result in harm to document that determination for review by the North Carolina Attorney General. If enacted, this will bring greater scrutiny to data hacks, ransomware events and other incidents that may not necessarily result in reportable breaches under the federal HIPAA regulations or other state or federal laws.

Attorney General Stein also released a report summarizing the 1,057 data breaches reported to his office last year. According to the report, these breaches impacted more than 1.9 million North Carolina residents, which is a 63% decrease from 2017 when breaches impacted approximately 5.3 million residents. As to the causes of these breaches, the report indicates that phishing schemes comprised 26% of the breaches, with hacking breaches decreasing slightly as compared to 2017.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe