April 19, 2021

Volume XI, Number 109


April 16, 2021

Subscribe to Latest Legal News and Analysis

North Carolina’s Much Anticipated Data Breach Notification Law Amendment Moves to General Assembly

The much-anticipated amendment to North Carolina’s data breach notification law that we reported on earlier this year (see here) has finally been introduced to the state’s General Assembly.   The bill entitled, an Act Amending the Identity Theft Protection Act, House Bill DRH40393-LR10C, is primarily sponsored by State Representatives Jason Saine (R), Brenden H. Jones (R), and Robert T. Reives II, and was developed closely with Attorney General Josh Stein.

Some important changes were made to the proposed bill, following the version we reported on back in January. Below are the key differences between the two versions of the bill:

  • The definition of “security breach” was not expanded to include ransomware attacks. Originally, the anticipated bill was set to expand the definition of “security breach” to include ransomware attacks. Although this is not included in the current version of the bill, the definition of “security breach” was expanded to include an obligation that “any determination that illegal use has not occurred or is not reasonably likely to occur or that no material risk of harm is created shall be documented and maintained for at least three years.”
  • 30-day data breach notification period instead of 15. The bill originally proposed included a 15-day notification period to affected consumers and the Attorney General following a breach. The bill introduced to the General Assembly, instead includes a 30-day notification period, which is still considered brief, tying Colorado and Florida for the shortest data breach notification period in the nation.
  • Free Credit Monitoring Services for 24 months. The original proposal included an obligation for consumer reporting agencies experiencing a breach to provide affected consumers with free credit monitoring services for 5 years. Instead the bill introduced to the General Assembly includes an obligation for any entity covered by the bill that experiences a breach involving Social Security numbers to provide free credit monitoring services to affected consumers for 24 months. If passed, North Carolina would join CaliforniaConnecticutDelawareMassachusetts, as states that require free credit monitoring services to affected consumers after certain types of breaches.
  • Expansion of the definition of personal information to include certain types of medical information. The bill, if passed, would expand the definition of personal information to include “[h]ealth insurance policy number[s], subscriber identification number[s], or any other unique identifier[s] used by a health insurer or payer to identify [a] person,” and “any information regarding the individual’s medical history or condition, medical treatment or diagnosis, or genetic information, by a health care professional.” That said, the new bill also creates an exception for HIPAA compliant entities, which limits the significance of the expanded definition of personal information, as many entities potentially facing breaches to medical information are subject to HIPAA.

This bill, if passed into law, would be a substantial overhaul to North Carolina’s data breach notification law. It would keep North Carolina in line with other states currently enhancing their data breach notification laws in light of the large-scale data breaches flooding the media of late.  Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.

Jackson Lewis P.C. © 2021National Law Review, Volume IX, Number 115



About this Author


Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.