North Carolina Proposed Data Breach Legislation & Security Breach Report 2017
Tuesday, January 30, 2018

On January 8, 2018, the State of North Carolina released its Security Breach Report 2017, which highlights a 15 percent increase in breaches since 2016. At the same time, North Carolina introduced new legislation aimed at reducing the number of data security incidents affecting North Carolina residents. This new legislation, named the Act to Strengthen Identity Theft Practices (ASITP), announced by Representative Jason Saine and Attorney General Josh Stein, attempts to combat the data breach epidemic by expanding North Carolina’s breach notification obligations, while reducing the time businesses have to comply with notification to the affected population and to the North Carolina Attorney General’s Office. If enacted, this new legislation will be one of the most aggressive U.S. breach notification statutes.

North Carolina’s Security Breach Report 2017

In 2017, North Carolina experienced a total of 1,022 data breaches that impacted approximately 5.3 million North Carolina residents. Health care, financial services and insurance businesses accounted for 38 percent, with general businesses making up for just more than half of these data breaches. Almost 75 percent of all breaches resulted from phishing, hacking and unauthorized access, reflecting an overall increase of more than 3,500 percent in reported hacking incidents alone since 2006. Since 2015, phishing incidents increased over 2,300 percent. These numbers emphasize the warning to beware of emails or texts requesting personal information and underscore the need to follow up via telephone to confirm such requests. As a best practice, it is advisable to always transmit personal information via secure methods.

As with all states, not all of North Carolina’s data breaches reported in 2017 resulted from phishing or hacking incidents. Just over 25 percent of data breaches were caused by traditional criminal activity such as computer and data theft, accidental disclosures or logistical failures such as lost shipments. This highlights the importance of best practices, including proper training, oversight, policies and procedures to protect personal information.

Proposed New Legislation

The Fact Sheet concerning the ASITP as published by the North Carolina Attorney General proposes that the AG take a more direct role in the investigation of data breaches closer to their time of discovery, so that it can “determine the risk of harm – not the breached organization.” To accomplish this goal, the ASITP proposes a significantly shorter period of time for an entity to provide notification to the affected population and to the North Carolina Attorney General. Currently, North Carolina’s statute mandates that notification be made to affected individuals and the Attorney General without “unreasonable delay.” Under the ASITP, the new deadline for all notifications would be 15 days following discovery of the data security incident. In addition to being the shortest deadline in the nation, it is important to note that notification vendors typically require 5 business days to process, print and mail notification letters. This deadline may require small to mid-size companies to divert resources from recovering operations to investigation of the incident.

The proposed legislation also seeks to (1) expand the definition of “protected information” to include medical information and insurance account numbers, and (2) penalize those who fail to maintain reasonable security procedures by charging them with a violation under the Unfair and Deceptive Trade Practices Act for each person whose information is breached.

Finally, the ASITP expands the definition of what constitutes a breach to include ransomware, where personal information is accessed but not necessarily acquired, requiring notification where personal information is encrypted by an outside intruder, making North Carolina the first state with a breach notification statute that defines ransomware as unlawful access of personal information. This is certain to increase the number of reportable incidents to residents of North Carolina and the North Carolina Attorney General. It is worth noting that while North Carolina is the first state to include the term “ransomware” in its data breach statute, several states, including Florida, Connecticut, Kansas, Louisiana, and New Jersey, define a breach as unauthorized “access” to personal information, a definition that can encompass a ransomware attack. Additionally, a ransomware attack may be considered a data breach under HIPAA if personal health information is accessed in the attack.

While we await the final format and timeline for this proposed legislation, contact a member of Wilson Elser’s Cybersecurity & Data Privacy practice for more information about how you can defend against cyber-attacks and remain in compliance with the changing legal landscape.

We have prepared and included below a chart of current state notification deadlines for comparison to the new proposed legislation.

Breach Notification Timeline

Time After Discovery of Breach

    Action Required

10 Calendar Days

  • Puerto Rico Department of Consumer Affairs

15 Calendar Days

  • (Proposed NC residents and NC AG)

14 Business Days

  • Vermont AG preliminary notification

15 Business Days

  • California residents, California AG, and California Department of Public Health must be notified of the disclosure of PHI by a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (“CDPH”)

30 Calendar Days

  • Florida residents, AG (500+ residents) (Can request 15 day extension) (60 Days for PHI/HIPAA incidents).
  • Indiana AG will open an investigation if not notified within 30 days

45 Calendar Days

  • Ohio residents
  • Tennessee residents (60 Days for PHI/HIPAA incidents)
  • Vermont residents, AG
  • Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA incidents)
  • Wisconsin residents (60 Days for PHI/HIPAA incidents)
  • New Mexico residents, AG (500+ residents)
  • Maryland residents (60 Days for PHI/HIPAA incidents)

60 Calendar Days

  • Individuals and HHS OCR for PHI disclosure.
  • Delaware (effective 4/14/18), AG (500+ residents)

90 Calendar Days

  • Connecticut residents (60 days for PHI/HIPAA incidents)

Most expedient time and without unreasonable delay

  • AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY

As soon as possible

  • NE, NH, TX

Days After Confirmation of Breach

  Action Required

45 Calendar Days

  • Rhode Island residents, AG (500+ residents) (60  Days for PHI/HIPAA incidents).

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins


Sign Up for e-NewsBulletins