The much-anticipated amendment to North Carolina’s data breach notification law that we reported on earlier this year (see here) has finally been introduced to the state’s General Assembly.   The bill entitled, an Act Amending the Identity Theft Protection Act, House Bill DRH40393-LR10C, is primarily sponsored by State Representatives Jason Saine (R), Brenden H. Jones (R), and Robert T. Reives II, and was developed closely with Attorney General Josh Stein.

Some important changes were made to the proposed bill, following the version we reported on back in January. Below are the key differences between the two versions of the bill:

• The definition of “security breach” was not expanded to include ransomware attacks. Originally, the anticipated bill was set to expand the definition of “security breach” to include ransomware attacks. Although this is not included in the current version of the bill, the definition of “security breach” was expanded to include an obligation that “any determination that illegal use has not occurred or is not reasonably likely to occur or that no material risk of harm is created shall be documented and maintained for at least three years.”
• 30-day data breach notification period instead of 15. The bill originally proposed included a 15-day notification period to affected consumers and the Attorney General following a breach. The bill introduced to the General Assembly, instead includes a 30-day notification period, which is still considered brief, tying Colorado and Florida for the shortest data breach notification period in the nation.
• Free Credit Monitoring Services for 24 months. The original proposal included an obligation for consumer reporting agencies experiencing a breach to provide affected consumers with free credit monitoring services for 5 years. Instead the bill introduced to the General Assembly includes an obligation for any entity covered by the bill that experiences a breach involving Social Security numbers to provide free credit monitoring services to affected consumers for 24 months. If passed, North Carolina would join California, Connecticut, Delaware, Massachusetts, as states that require free credit monitoring services to affected consumers after certain types of breaches.
• Expansion of the definition of personal information to include certain types of medical information. The bill, if passed, would expand the definition of personal information to include “[h]ealth insurance policy number[s], subscriber identification number[s], or any other unique identifier[s] used by a health insurer or payer to identify [a] person,” and “any information regarding the individual’s medical history or condition, medical treatment or diagnosis, or genetic information, by a health care professional.” That said, the new bill also creates an exception for HIPAA compliant entities, which limits the significance of the expanded definition of personal information, as many entities potentially facing breaches to medical information are subject to HIPAA.

This bill, if passed into law, would be a substantial overhaul to North Carolina’s data breach notification law. It would keep North Carolina in line with other states currently enhancing their data breach notification laws in light of the large-scale data breaches flooding the media of late.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.