North Carolina Reintroduces Strict Data Breach Notification Law

proposed data breach notification law

By Jessica Davis

– North Carolina Attorney General Josh Stein and Rep. Jason Saine reintroduced data privacy legislation that would give organizations just 30 days to report a breach.

For healthcare providers in the state, the law would effectively cut in half the notification time outlined in HIPAA, which mandates breach notifications occur within 60 days of discovery. According to the proposal, the tighter notification will “allow people to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs.”

Further, the bill would redefine a breach to include ransomware attacks, where the personal information is accessed and potentially not acquired. This is also particularly notable for healthcare organizations, as hackers continue to target the sector with ransomware attacks.

The bill also outlines consumer data protections, including giving individuals the right to request a list of the data maintained on them, the source, and where it was disclosed.

If passed, the legislation would also mandate that breached organizations provide victims with two years of free credit monitoring. Victims would also be allowed to freeze their credit without cost.

The legislation comes in response to the steady increase of breaches throughout the state, Stein explained. According to a report released in conjunction with the proposed law, 1.9 million North Carolina residents saw their data compromised through 1,047 breaches in 2018.

In fact, the report found a 3.4 percent increase in breach notices from 2017 to 2018.

The proposal is the second attempt for the state at revamping its privacy law. In January 2018, Saine and Stein introduced legislation that would give businesses just 15 days to report a breach after discovery. According to Saine, they spent the year working with citizen advocates like AARP and the business community to redraft the law.

“We are strongly committed to getting this right and creating a strong framework for protecting our most personal information,” Saine said in a statement.

“This number is way too high. North Carolina’s laws on this issue are strong – but they need to be even stronger,” Stein said in a statement. “Saine and I want to do everything we can to keep people’s personal information safe.”

If passed, it would join a host of other state efforts to tighten consumer data protections. Last year, Colorado introduced similar legislation that would truncate the breach notification timeline to 30 days, while Iowa proposed notifications be sent within 45 days.

On the federal level, many groups and members of Congress have made similar calls for increased data protections. Most recently, the Information Technology and Innovation Fund recommended the patchwork of privacy regulations, like HIPAA, be repealed and replaced with a unified federal privacy law.