HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Breach Notification Bill Introduced in North Carolina

A new data breach notification bill has been introduced in North Carolina in response to the rise in breaches of personal information in 2017. Last year, more than 5.3 million residents of North Carolina were impacted by data breaches.

The rise in data breaches prompted state Attorney General Josh Stein and state Representative Jason Saine to introduce the Act to Strengthen Identity Theft Protections. If passed, North Carolina will have some of the toughest data breach notification laws in the United States.

The Act, introduced on January 8, 2018, is intended to strengthen protections for state residents. The Act updates the definitions of personal information and security breaches, and decreases the allowable time to notify state residents of a breach of their personal information.

The definition of personal information has been expanded to include insurance account numbers and medical information. It is currently unclear whether the new law will apply to organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) or if they will be deemed to be in compliance with state laws if they comply with HIPAA.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The definition of a breach has been updated to include any breach of personal information, including ransomware attacks, even if the personal information of state residents is only encrypted by ransomware and no data theft has occurred.

In the event of a breach of personal information, the Act requires companies to issue notifications to breach victims within 15 days of the discovery of a breach. Faster breach notifications will allow consumers to take prompt action to secure their accounts and limit potential harm from the exposure of their personal information.

Breaches must also be reported to the Attorney General’s office. This will empower the attorney general to determine the risk of harm from the breach, rather than leaving it to the breached entity to make that determination.

The Act also requires businesses to implement and maintain reasonable security protections to keep data secure. The nature of those protections should be appropriate to the sensitivity of the data concerned. The failure to implement sufficient controls would be deemed a violation of the Unfair and Deceptive Trade Practices Act, and each person whose data has been exposed would represent “a separate and distinct violation of the law.”

North Carolina residents must also be allowed to place a credit freeze on their accounts free of charge and the Act requires credit reporting agencies “to put in place a simple, one-stop shop for freezing and unfreezing a consumer’s credit reports.” This would allow consumers to quickly and easily freeze and unfreeze credit across all major consumer reporting agencies.

A new provision has also been included to cover credit reference and consumer reporting agencies. If those agencies experience a breach they will be required to provide five years of free credit monitoring services to consumers.

A summary of the Act is available here.

Image source: By Darwinek [CC BY-SA 3.0] via Wikimedia Commons

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.