In April 2019, with the introduction of House Bill 904, a bi-partisan effort was made to strengthen cyber security in North Carolina. H.B. 904 seeks to make North Carolina's Identity Theft Protection Act one of the strongest in the nation by broadening the definition of what constitutes a data breach, what proactive steps companies and employers must take to prevent a breach of their customers or employees' personal information, and the penalties available to victims of data breaches, among other provisions. While H.B. 904 did not make it out of committee and failed to meet the cross-over deadline during the 2019-2020 legislative session, it is anticipated that it will eventually be passed and signed into law if significant federal data breach protections are not passed in the meantime. Therefore, the time for companies that do business in North Carolina, or that otherwise maintain North Carolinians' personal information, to begin preparing for these changes is now.
H.B. 904 changes what constitutes a breach of personal information. Currently, a breach occurs when a person or entity both accesses and acquires a North Carolinian's personal information, but H.B. 904 removes the requirement that the person or entity actually acquires the information. Under the bill, merely accessing the information is a breach. H.B. 904 also expands what is considered “personal information” to include electronic identification numbers and email addresses related to a North Carolinian's financial records or certain “other personal information,” which under the bill would include HIPAA-protected information.
If passed, H.B. 904 will impose an affirmative duty on companies doing business in North Carolina, or who own or license North Carolinians' personal information, to implement and maintain reasonable security procedures and practices to protect that informa ..