AN ACT to provide additional protections for protected health information and government employee personnel information.

Whereas, people throughout North Carolina provide sensitive health information to their doctors, hospitals, and other health care providers, and they often provide sensitive health information as part of key government programs like Medicare and Medicaid; and

Whereas, federal, State, and local government employees are frequently required to provide sensitive personal information to the government as part of their hiring and employment, and this sensitive information is entrusted to the government to care for in accordance with strict procedures; and

Whereas, unauthorized copying of these sensitive forms of data can lead to lasting injury to those affected; and

Whereas, North Carolina's Computer Trespass offense criminalizes unauthorized copying of computer data but lacks an automatic minimum amount of damages for misappropriation of protected health information or government personnel files; Now, therefore,

The General Assembly of North Carolina enacts:

SECTION 1.  G.S. 14‑458 reads as rewritten:

§ 14‑458.  Computer trespass; penalty.

(a)        Except as otherwise made unlawful by this Article, it shall be unlawful for any person to use a computer or computer network without authority and with the intent to do any of the following:

(1)        Temporarily or permanently remove, halt, or otherwise disable any computer data, computer programs, or computer software from a computer or computer network.

(2)        Cause a computer to malfunction, regardless of how long the malfunction persists.

(3)        Alter or erase any computer data, computer programs, or computer software.

(4)        Cause physical injury to the property of another.

(5)        Make or cause to be made an unauthorized copy, in any form, including, but not limited to, any printed or electronic form of computer data, computer programs, or computer software residing in, communicated by, or produced by a computer or computer network.

(6)        Falsely identify with the intent to deceive or defraud the recipient or forge commercial electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk commercial electronic mail through or into the computer network of an electronic mail service provider or its subscribers.

For purposes of this subsection, a person is without authority when (i) the person has no right or permission of the owner to use a computer, or the person uses a computer in a manner exceeding the right or permission, or (ii) the person uses a computer or computer network, or the computer services of an electronic mail service provider to transmit unsolicited bulk commercial electronic mail in contravention of the authority granted by or in violation of the policies set by the electronic mail service provider.provider, or (iii) in the case of computer data that is in a personnel file of a local, State, or federal government employee, the person has no authority under local, State, or federal law to view or otherwise access that information or has willfully failed to follow the requirements of the local, State, or federal law granting such authority. For purposes of this subsection, the term personnel file is as defined in G.S. 1‑539.2A.

(b)        Any person who violates this section shall be guilty of computer trespass, which offense shall be punishable as a Class 3 misdemeanor. If there is damage to the property of another and the damage is valued at less than two thousand five hundred dollars ($2,500) caused by the person's act in violation of this section, the offense shall be punished as a Class 1 misdemeanor. If there is damage to the property of another valued at two thousand five hundred dollars ($2,500) or more caused by the person's act in violation of this section, the offense shall be punished as a Class I felony.

(c)        Any person whose property or person is injured by reason of a violation of this section may sue for and recover any damages sustained and the costs of the suit pursuant to G.S. 1‑539.2A.

(d)       It is not a violation of this section for a person to act pursuant to Chapter 36F of the General Statutes.

SECTION 2.  G.S. 1‑539.2A reads as rewritten:

§ 1‑539.2A.  Damages for computer trespass.

(a)        Any person whose property or person is injured by reason of a violation of G.S. 14‑458 may sue for and recover any damages sustained and the costs of the suit. Without limiting the general of the term, damages shall include loss of profits. If the injury arises from the transmission of unsolicited bulk commercial electronic mail, the injured person, other than an electronic mail service provider, may also recover attorneys' fees and may elect, in lieu of actual damages, to recover the lesser of ten dollars ($10.00) for each and every unsolicited bulk commercial electronic mail message transmitted in violation of this section, or twenty‑five thousand dollars ($25,000) per day. The injured person shall not have a cause of action against the electronic mail service provider which merely transmits the unsolicited bulk commercial electronic mail over its computer network. If the injury arises from the transmission of unsolicited bulk commercial electronic mail, an injured electronic mail service provider may also recover attorneys' fees and costs and may elect, in lieu of actual damages, to recover the greater of ten dollars ($10.00) for each and every unsolicited bulk commercial electronic mail message transmitted in violation of this section, or twenty‑five thousand dollars ($25,000) per day.

(a1)      If the injury arises from a violation of G.S. 14‑458 involving trespass to computer data that is protected health information, the injured person may sue and recover for each violation the greater of the damages sustained or five thousand dollars ($5,000) and the costs of the suit.

(a2)      If the injury arises from a violation of G.S. 14‑458 involving trespass to computer data that is in the personnel file of a local, State, or federal employee, the injured person may sue and recover for each violation the greater of the damages sustained or five thousand dollars ($5,000) and the costs of the suit.

(b)        A civil action under this section shall be commenced before expiration of the time period prescribed in G.S. 1‑54. In actions alleging injury arising from the transmission of unsolicited bulk commercial electronic mail, personal jurisdiction may be exercised pursuant to G.S. 1‑75.4.

(c)        The following definitions apply in this section:

(1)        Damages. – Includes loss of profits.

(2)        Personnel file. – Any employment‑related or personal information gathered by an employer about its employee. Employment‑related information includes information related to an individual's application, selection, promotion, demotion, transfer, leave, salary, contract for employment, benefits, suspension, performance evaluation, disciplinary actions, and termination. Personal information includes an individual's home address, social security number, medical history, personal financial data, marital status, dependents, and beneficiaries.

(3)        Protected health information. – As defined in 45 C.F.R. § 160.103.

SECTION 3.  This act becomes effective July 1, 2025, and applies to offenses committed on or after that date.