On July 17, North Carolina amended its data breach notification law and changed some credit freeze and credit monitoring requirements.
The new law, S.B. 1017, makes two small changes to North Carolina’s notification requirements. First, it requires telling the state Attorney General about breaches of any size, not just those that affect more than one thousand people. Second, it requires the notifications to include contact information for the consumer reporting agencies (CRAs), the FTC, and the North Carolina Attorney General’s office.
The statute still has the same notification triggers as before: it applies to any business that “owns or licenses” personal information. The law applies to businesses that own or license data, but the statute’s definition of a “security breach” is not limited to breaches of information the business owns or licenses. It may just be a quirk of wording, but it looks like the law requires any business that owns or licenses data to notify people affected by any security breach. In fact, there’s nothing in the language saying that companies only have to disclose their own breaches:
N.C. Gen. Stat. § 75-65(a): Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. . . .
I doubt that’s the intention of the law, but there’s the language: companies that own or license data shall notify the affected person that “there has been a security breach.” So, maybe it’s a business’s duty to inform consumers that a competitor has been breached?
Also note the statute’s broad interstate reach, pulling in “any business that conducts business in North Carolina that owns or licenses personal information in any form.” It doesn’t even bother to limit the reach of the statute to businesses that own or license personal information about North Carolina residents.
The law’s big changes are to consumer credit reporting. It made quite a few changes to the state’s security freeze law. It reduced the time Consumer Reporting Agencies (CRAs) can take to initiate or remove a freeze from five days to three, gives CRAs fifteen minutes to temporarily lift a freeze once the consumer has requested a temporary lift by phone or e-mail (if the request is by mail, the CRA has three days), prohibits the CRAs from charging for placing, removing, or temporarily lifting a credit freeze unless the request was by mail (the old law allowed charging $10 per request), and requires that credit reports under a freeze say that the freeze does not reflect a negative score, history, report, or rating.
Finally, the law adds a “Credit Monitoring Services Act,” which might as well be titled the “freecreditreport.com” act. It requires anyone who provides credit monitoring or obtains a credit report on behalf of a consumer for a fee to give clear and conspicuous notice of the consumer’s right to a free credit report.
