AN ACT amending the identity theft protection act.

The General Assembly of North Carolina enacts:

SECTION 1.  G.S. 75‑61(14) reads as rewritten:

(14)    Security breach. – An incident of unauthorized access to and or acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and or acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure. Any determination that illegal use has not occurred or is not reasonably likely to occur or that no material risk of harm is created shall be documented and maintained for at least three years.

SECTION 2.  G.S. 75‑65 reads as rewritten:

§ 75‑65.  Protection from security breaches.

(a)        Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. For the purposes of this section, personal information shall not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.do all of the following:

(1)        Implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(2)        Provide notice to all persons affected by a security breach as soon as practicable, but not later than 45 days after discovery of the breach or reason to believe a breach has occurred in accordance with this section.

(3)        Provide notice to the Consumer Protection Division of the Attorney General's Office that there has been a security breach as soon as practicable, but not later than 45 days after discovery of the breach or reason to believe a breach has occurred. The Consumer Protection Division may request any of the following information:

a.         A description of the policies in place regarding breaches.

b.         Steps taken to rectify the breach.

c.         A copy of the police report, if relevant.

d.         A summary of the incident report.

e.         A summary of the computer forensics report, if a forensic examination was undertaken.

f.          All information prescribed under subsections (e) and (e1) of this section.

The business shall provide notification of a security breach in a manner consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section and consistent with any measures necessary to determine sufficient contact information, to determine the scope of the breach, and to restore the reasonable integrity, security, and confidentiality of the data system. The information provided to the Consumer Protection Division of the Attorney General's Office pursuant to subdivision (3) of this subsection is not a public record as defined in G.S. 132‑1.

For the purposes of this section, the term personal information does not include (i) electronic identification numbers or electronic mail names or addresses unless it includes any required security code, access code, or password that would allow access to an individual's financial account or resources or other personal information, as defined in this section, (ii) internet identification names, (iii) a parent's legal surname prior to marriage, or (iv) a password, unless the business is aware that this information would permit access to a person's financial account or resources or other personal information, as defined in this section.

(b)        Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.

(c)        The notice required by this section shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay within five days after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.

(d)       The notice shall be clear and conspicuous. The notice shall include all of the following:

(1)        A description of the incident in general terms.

(2)        A description of the type of personal information that was subject to the unauthorized access and acquisition.

(3)        A description of the general acts of the business to protect the personal information from further unauthorized access.

(4)        A telephone number for the business that the person may call for further information and assistance, if one exists.

(5)        Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

(6)        The toll‑free numbers and addresses for the major consumer reporting agencies.

(7)        The toll‑free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.

(e)        For purposes of this section, notice to affected persons may be provided by one of the following methods:

(1)        Written notice.

(2)        Electronic notice, for those persons for whom it has a valid e‑mail address and with whom it regularly conducts business electronically or who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.

(3)        Telephonic notice provided that contact is made directly with the affected persons.

(4)        Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:

a.         E‑mail notice when the business has an electronic mail address for the subject persons.

b.         Conspicuous posting of the notice on the Web site page of the business, if one is maintained.

c.         Notification to major statewide media.

(e1)      In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.

(f)        In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

(g)        Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable.

(g1)      A person or agency that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), P.L. 104‑191, as amended and with regulations promulgated under that act, shall be deemed in compliance with this section. If notice of a security breach is provided to any affected person or agency pursuant to HIPAA, then notice shall also be provided to the Consumer Protection Division in the Office of the Attorney General.

(h)        A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or a credit union that is subject to and in compliance with the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration; and any revisions, additions, or substitutions relating to any of the said interagency guidance, shall be deemed to be in compliance with this section.

(h1)      If a consumer receives notice under this section or is the subject of a security breach by a consumer reporting agency, and the consumer's personal information was held by a consumer reporting agency, then that consumer reporting agency shall offer to provide appropriate identity theft prevention and mitigation services such as credit monitoring at no cost to the consumer for not less than 24 months. The consumer reporting agency shall provide the consumer with information necessary to take advantage of the offer.

(h2)      If a business knows or has reason to know that said business experienced a security breach that requires notice under this section and the security breach includes a person's social security number, the business shall contract with a third party to offer to each person whose social security number was disclosed in the security breach, or is reasonably believed to have been disclosed in the security breach, credit monitoring services at no cost to the person for a period of not less than 24 months.

(h3)      A consumer reporting agency shall not knowingly offer a paid product to prevent unauthorized access or restrict access to a consumer's credit unless, at the time of the transaction, the consumer reporting agency (i) notifies the consumer of the availability of obtaining a security freeze without charge and (ii) provides information to the consumer on how to obtain a security freeze.

(i)         A violation of this section is a violation of G.S. 75‑1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.

(j)         Causes of action arising under this Article may not be assigned.

SECTION 3.  G.S. 75‑66 reads as rewritten:

§ 75‑66.  Publication of personal information.

(a)        It shall be a violation of this section for any person to knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the Internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure.

(b)        As used in this section, person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity, but does not include any:

(1)        Government, government subdivision or agency.

(2)        Entity subject to federal requirements pursuant to the Health Insurance Portability and Accountability Act (HIPAA).

(c)        As used in this section, the phrase personal information includes a person's first name or first initial and last name in combination with any of the following information:

(1)        Social security or employer taxpayer identification numbers.

(2)        Drivers license, State identification card, or passport numbers.

(3)        Checking account numbers.

(4)        Savings account numbers.

(5)        Credit card numbers.

(6)        Debit card numbers.

(7)        Personal Identification (PIN) Code as defined in G.S. 14‑113.8(6).

(8)        Digital signatures.

(9)        Any other numbers or information that can be used to access a person's financial resources.

(10)      Biometric data.

(11)      Fingerprints.

(12)      Passwords.

(c1)      For the purposes of this section, the phrase personal information does not include any of the following:

(1)        Electronic identification numbers or electronic mail names or addresses unless it includes any required security code, access code, or password that would allow access to an individual's financial account or resources or other personal information, as defined in G.S. 75‑61(10).

(2)        Internet identification names.

(3)        A parent's legal surname prior to marriage.

(4)        A password, unless the business is aware that this information would permit access to a person's financial account or resources or other personal information, as defined in G.S. 75‑61.

(d)       Nothing in this section shall:

(1)        Limit the requirements or obligations under any other section of this Article, including, but not limited to, G.S. 75‑62 and G.S. 75‑65.

(2)        Apply to the collection, use, or release of personal information for a purpose permitted, authorized, or required by any federal, State, or local law, regulation, or ordinance.

(3)        Apply to data integration efforts to implement the State's business intelligence strategy as provided by law or under contract.

(e)        Any person whose property or person is injured by reason of a violation of this section may sue for civil damages pursuant to the provisions of G.S. 1‑539.2C.

SECTION 4.  Article 2A of Chapter 75 of the General Statutes is amended by adding a new section to read:

§ 75‑67.  Consumer report consent.

A person shall not obtain, use, or seek the consumer report or credit score of a consumer in connection with an application for credit unless the user obtains the written, verbal, or electronic consent of the consumer, as appropriate to the manner in which the application for credit is made.

SECTION 5.  G.S. 14‑113.20(b) reads as rewritten:

(b)      The term identifying information as used in this Article includes the following:

(1)        Social security or employer taxpayer identification numbers.

(2)        Drivers license, State identification card, or passport numbers.

(3)        Checking account numbers.

(4)        Savings account numbers.

(5)        Credit card numbers.

(6)        Debit card numbers.

(7)        Personal Identification (PIN) Code as defined in G.S. 14‑113.8(6).

(8)        Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.

(9)        Digital signatures.

(10)      Any other numbers or information that can be used to access a person's financial resources.

(11)      Biometric data.

(12)      Fingerprints.

(13)      Passwords.

(14)      Parent's legal surname prior to marriage.

(15)      Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer or payer to identify the person.

(16)      Any information regarding the individual's medical history or condition, medical treatment or diagnosis, or genetic information, by a health care professional.

SECTION 6.  This act is effective when it becomes law.