Although almost all the states have some form of breach notification law, the legislative process regarding breach notification has not reached an end. Some states are changing their breach notification laws in an effort to enhance their protections. Last July, North Carolina enacted S.B. 1017, which amends the state’s breach notification law. N.C. Gen. Stat. § 75-65. Click here for a copy of S.B. 1017.
The amendments change the nature of the breach notification by requiring that the notification include a description of the incident, the type of information involved, and steps taken to prevent further unauthorized access. The new law also includes a requirement for providing contact information for consumer reporting atancies, the Federal Trade Commission, and the North Carolina Attorney General’s office to allow those affected to obtain more information about identity theft. Id. § 75-65(d).
S.B. 1017 also added a requirement to notify the Consumer Protection Division of the Attorney General’s office in the event of a breach. The law had a provision requiring notification to the A.G. of the content of a breach notice, if notice went out to more than 1,000 people. The new section of the statute has no lower limit on the number of people affected; a notification must go to the A.G.’s office regardless of how few people are affected. The notice must inculde the nature of the breach, the number of consumers affected, investigative steps taken, prevention of future breaches, and information about the notice sent. Id. § 75-65(e1).