August 11, 2020

Volume X, Number 224

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Data Breach Notification Revisions in North Carolina Would Bring Radical Change

A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response.  Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country.  The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. 

Specifically, the bill would include the following provisions:

  • The definition of a data breach would expressly include ransomware attacks, in which personal information has been accessed but not necessarily acquired.  This is in line with the interpretation advanced by the Office of Civil Rights of the Department of Health and Human Services on HIPAA-related ransomware incidents, but it would be the first state notification statute to explicitly include ransomware in the definition of a breach.  Inclusion of ransomware in the definition of a breach could substantially alter data security incident investigations and breach notifications.

  • The deadline for notification of consumers would be a mere 15 days after discovery of a data security incident.  This would be 15 days faster than the current earliest deadline for notifying data subjects and would pose significant logistical challenges for any company required to give notice.  If the North Carolina bill becomes law, the first question everyone should be asking in a data breach scenario is whether any North Carolina residents were impacted, as time will be at a premium.

  • If a breach happens at a credit reporting agency, that agency would be required to provide five years of free credit monitoring to affected consumers.  Although affecting a narrow industry, this could have significant ramifications for the future of credit monitoring.  The current standard practice is to offer consumers one year of free credit monitoring protection (although at least one state encourages two years).  There is no other statute or regulation that we are aware of that would even come close to requiring five years of protection.  Additionally, insurance policies that cover data breach response typically would not cover the costs associated with that many years of credit monitoring.

Although the bill has been proposed only in North Carolina, it could have far-reaching implications.  State legislatures have often followed the leads of other, more restrictive states in modifying their own data protection statutes.  With data privacy being a popular topic in the news and a significant concern for consumers, it would not be at all surprising if other states adopted the same model as North Carolina.  But even if North Carolina stands alone, it still has the prospect to radically change data breach response scenarios because the speed with which an investigation must be conducted to comply with North Carolina’s 15-day notice requirement would, as a practical matter, apply to all investigations to the extent North Carolina data subjects are at issue.

© 2020 Vedder PriceNational Law Review, Volume VIII, Number 22


About this Author

Blaine C. Kimrey, media defense Litigation, Vedder Price Law Firm Chicago Office

Blaine C. Kimrey is a Shareholder in the Litigation practice area in the firm’s Chicago office.

A former journalist at two daily newspapers (the Austin American-Statesman and the Arkansas Democrat-Gazette), Mr. Kimrey is a trial lawyer who has dedicated more than 20 years to working for and defending media entities. Mr. Kimrey’s practice, however, extends well beyond media defense, focusing on a broad range of direct and class action litigation involving topics as diverse as privacy, consumer deception, intellectual property,...

312-609 7865
Bryan Clark Media & Privacy Law  litigation Vedder Price Law Firm Chicago

Bryan Clark is an Associate at Vedder Price and a member of the Litigation group in the firm’s Chicago office.  He has an extensive media and privacy practice that includes privacy class action defense, mobile-marketing litigation, class action TCPA litigation, copyright litigation, right of publicity litigation, data breach response, FOIA issues, reporter’s privilege issues and prepublication review.

Mr. Clark’s other representative work includes drafting successful dispositive motions in right of publicity and invasion of privacy cases, arguing successful motions to quash on behalf of media entities facing subpoenas, defeating motions for preliminary injunction in intellectual property litigation, and advising advertising and marketing clients on compliance issues. He presents on issues related to digital privacy and data breach before a national audience, such as the ABA Annual Meeting in 2013.

Mr. Clark is a member of the Trial Bar for the Northern District of Illinois and has first-chair trial experience in federal court. As a litigator, Mr. Clark has been involved in a broad range of matters in addition to media and privacy, including topics as diverse as loan enforcement and foreclosure, consumer fraud, environmental, construction, and insurance law. He also has handled a variety of pro bono engagements, including work for nonprofit media entities, representation of an Illinois prisoner with multiple sclerosis, and Section 1983 civil rights litigation

312-609 7810