North Carolina bill to amend Identity Theft Protection Act and to increase consumer protection post-breach

On April 16, 2019, North Carolina House of Representative introduced H.B. 904. The Bill amends the Identity Theft Protection Act.

Among the many changes introduced, the Bill:

  • amends the definition of security breach to include any incident of “unauthorized access to or acquisition of (was, access to and acquisition of) unencrypted and unreacted records or data containing personal information where illegal use of the personal information has occurred or is likely to occur or that creates a material risk of harm to the customer, or of encrypted records or data containing personal information along with the confidential process or key. Adds a new requirements that any determination that illegal use has not occurred or is not reasonably likely to occur or that no material risk of harm is created must be documented and maintained for at least three years;”
  • prohibits any consumer reporting agency from charging a fee for the placement or removal of a protected consumer security fee (previously allowed a fee of up to $5 for certain requests);
  • requires any “business that owns or licenses personal information of residents or any business that conducts business in the State that owe or licenses personal information in any form to implement and maintain reasonable security measures and practices;”
  • requires these businesses to provide notice to affected persons and the Consumer Protection Division (Division) of the Attorney General’s Office within 30 days of any security breach or reasonable belief that a security breach has occurred (previously only required notification of a security breach to the consumer);”
  • establishes a time frame for the required notice to within five days (was, without unreasonable delay) once law enforcement has communicated to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security;
  • requires a “consumer reporting agency to offer identity theft prevention and mitigation services at no cost for at least 48 hours following notice to the affected person or if the person is subject of a security breach, so long as the person’s personal information was held by a consumer reporting agency. In cases where social security numbers are included in the security breach, requires the business to offer credit monitoring services at no cost to specified persons for a period of no less than 24 months through a third party contract;”
  • prohibits any person from obtaining, using, or seeking the consumer report or credit score of a consumer in connection with an application for credit without written, verbal, or electronic consent of the consumer;
  • establishes a “right for consumer to request from credit reporting agencies all information maintained on the consumer, the source of the information maintained, and a list of any person or enemy that information was disclosed to. Makes violations punishable under existing state law”;
  • establishes the offense of identity theft.


More on H.B. 904 is available at…


For more information on how these privacy rules may impact your business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli


Originally published on Technethis on May 2019

Leave a Reply

Your email address will not be published. Required fields are marked *