Proposed Changes To North Carolina’s Identity Theft Protection Act: What Do Businesses Need To Know?
By Saad Gul and Michael E. Slipsky
The year was 2005. Napster was hip. The IPhone was still two years away. Facebook was still a niche. And North Carolina was one of the first states in the union to enact a data breach notification statute. The North Carolina Identity Theft Protection Act (ITPA), N.C. Gen. Stat. §75-60 et seq imposes data protection obligations that have now become standard in most state breach statutes.
Among other provisions, ITPA mandated that businesses guard the personal information of their customers and clients. “Publishing” or failing to safeguard the personally identifiable information (PII) of North Carolina residents could potentially violate the state Unfair and Deceptive Trade Practices Act. The violator would be liable for heavy damages and attorneys’ fees. The North Carolina Attorney General had separate ITPA enforcement powers.
Among other provisions, ITPA required that businesses:
· Protect social security numbers;
· Dispose of records in a manner that protected sensitive information;
· Institute policies to protect data, including employee training;
· Notify affected North Carolina residents in the event of a breach.
In the years following ITPA’s enactment, virtually all states passed similar legislation. For its part, the North Carolina General Assembly seemed content to let law enforcement and courts handle data issues. That approach may be coming to an end.
Following a series of high profile breaches in 2017 however, the legislature has signaled a tougher stance. If the bipartisan Act to Strengthen Identity Theft Practices (ASITP) becomes law, North Carolina will have some of the most stringent data protection provisions in the nation.
ASITP stemmed from some alarming statistics contained in the Attorney General’s annual report. Attorney General Josh Stein noted that in 2017:
· 1,022 data breaches affected 5.3 million state residents;
· Hacking accounted for half of those breaches, a proportion that had doubled in five years;
· The reports of hacking had increased by more than 3.500 percent;
· Phishing scams had also increased.
In light of these figures, ASITP sponsor Rep. Jason Saine stressed the need to provide consumers with timely information and the tools to protect themselves. To this end, ASITP proposes two additional requirements.
Firstly, ASITP requires speedier notification to affected residents and regulators. ITPA’s only requirement is that notification be made without “unreasonable delay.” ASITP would require notification within 15 days of discovery of the breach.
While 15 days may seem ample, affected business will find it is aggressive. Discovery of the breach, which starts the clock, is only the first step in the process. The affected business will need to investigate the extent of the incident. It should consult counsel regarding its obligations and potential exposure. It will have to to retain experts and notifications services (through counsel if possible, to protect privilege). Depending on available coverage, it may have insurer-related obligations as well.
In light of these requirements, 15 days is a tight window. It is particular tight for businesses that have not considered the possibility of a breach, and made some preparations. At a minimum, businesses should have anticipated the possibility, and drawn up contingency plans. Full incident response plans are even better. And ideally, those incident response plans should have been tested in table top exercises.
Secondly, ASITP specifies that a breached business that failed to maintain “reasonable security procedures” has violated the Unfair and Deceptive Trade Practices Act. And each person affected would be a separate and distinct violation of the Act. Note that “reasonable security procedures”, like beauty, are often in the eye of the beholder. This is another reason why contingency planning, preferably with assistance of counsel, should be undertaken before any breach.
Given the aggressive timetables and significant potential penalties, businesses should regularly review their security practices and procedures to mitigate legal and technical risk to the maximum extent possible. This is indeed an area where an ounce of prevention with worth a pound of cure.
After all, 2017 was a bumper year for breaches. But every indication is that indicates that the 2017 records will not stand long.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.