Tuesday, January 22, 2019

The (Revised) Proposal to "Strengthen North Carolina Identity Theft Protection Act"

North Carolina's Attorney General, Josh Stein, and Representative Jason Saine have unveiled a revised proposal for amending the state's existing Identity Theft Protection Act.  Recall that one year ago, Stein and Saine introduced a summary of proposed legislation (sometimes erroneously called a "fact sheet") outlining their plans for bipartisan legislation to tighten privacy and data security protections for North Carolinian.  In this post, I will attempt to describe the 2019 proposal and highlight differences from the 2018 proposal.
 
Concerns with the 2018 proposal
 
In many of my privacy and data security law presentations during 2018, I expressed my view that some elements of the proposal were reasonable and advisable improvements to the statute, and I also described a couple of my concerns with the proposal:
 

1.  First, the 2018 version of the Act to Strengthen Identity Theft Protections would have created the shortest breach reporting timeframe in the entire United States--only 15 days--giving organizations only half the time to respond to a breach as the next shortest timeframe.  Having assisted some of North Carolina's largest and smallest organizations in post-incident response, I thought that was unrealistically aggressive (although I'm sure well-intentioned).  Several states did, in fact, adopt or revise reporting deadlines in 2018, but none were close to the 15 days in the Stein-Saine proposal, for example:
  • 30 days: Colorado; 
  • 45 days: Alabama, Arizona, Maryland, Oregon; and
  • 60 days: Delaware, Louisiana, South Dakota.

2.  Second, the 2018 proposal would have included ransomware in the definition of "breach" even if no personal information was divulged (i.e., "exfiltrated").  Notifying individuals of an incident in which their data has not been exposed, and for which they probably cannot really take any pro-active or remedial actions, seems pointless, would likely generate fear disproportionate to the risk of harm, and creates a significant and unnecessary expense for the entity that has been attacked. In other words, I think there are good reasons why other states do not include ransomware attacks within the scope of a reportable breach.



What's new in the 2019 proposal
 
In the 2019 version of the proposal, one of these concerns has been addressed.  Let's take a look at how the 2019 proposal differs from the 2018 proposal:
 
  • In the 2018 proposal, the Attorney General's office would "determine the risk of harm" to consumers. In the 2019 proposal, the organization makes the initial determination, and "if the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review."
  • There were no changes to the security obligation. Both proposals impose a duty on a "business that owns or licenses personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. "
  • There were no changes to the proposed expansion of "personal information." In both proposals, the scope would be expanded to include medical information and insurance account numbers. (The interaction with HIPAA was not addressed specifically.)
  • The 15 day reporting timeframe in the 2018 proposal has been changed to a 30 day timeframe in the 2019 proposal, which is much more consistent with the approach of other states.
  • Under both proposals, consumers will be able to place and lift a credit freeze on their credit report at any time, for free, and credit reporting agencies will also be required to cooperate to establish a simple method so that consumers need not repeat the process with each CRA. (If this sounds familiar, it is because this is how credit fraud alerts already work. Credit fraud alerts are creatures of federal law, and credit freezes arise from state law, and therefore vary from state to state.)
  • Under the 2018 proposal, consumers affected by a breach would have access to three free credit reports from each national consumer reporting agency, but that provision was dropped from the 2019 version of the proposal.
  • Under the 2018 proposal, if a consumer reporting agency is breached, it will be obligated to provide five years of free credit monitoring; under the 2019 version, the CRA would provide monitoring for four years.
  • Under the 2019 version, if any organization is breached, it must provide two years of free credit monitoring to each affected consumer. There was no similar provision in the 2018 proposal (except for CRAs).
  • Under the 2019 version, a failure to report a breach will be a violation of the NC Unfair and Deceptive Trade Practices Act. (The 2018 version specified that each affected consumer would support a separate violation; the 2019 version omits that statement.) Frankly, I am not sure that this would actually be a change from the current law; it may be a mere attempt to codify the status quo.
  • Both proposals say that a company will need a person's permission before obtaining or using a person’s credit report or credit score, and must disclose the reason for the request. (This is already a requirement under federal law, so I do not foresee much impact from this provision.)
  • Finally, both proposals would give NC residents the right to obtain from any CRA "the information maintained on him or herself (both credit related and non-credit related information), its source, and a list of any person or entity to which it was disclosed."

 

 The 2018 proposal never made it to a vote in the North Carolina General Assembly, and I cannot predict whether the new proposal will be adopted in the 2019-2020 session, but it is clear that the Attorney General intends to focus on privacy and data security, through legislation and enforcement actions, during the coming year.

 
 
 
 
 
 









Wednesday, January 2, 2019

Business North Carolina has released the 2019 "Legal Elite"

The start of a new year brings many opportunities to improve ourselves, but it is also a time to reflect on the accomplishments of the prior year. Each January, Business North Carolina releases the results of its annual survey of lawyers. The survey asks one simple question: "Of the Tar Heel lawyers whose work you have observed firsthand, whom would you rate among the current best in these categories?"

(Lawyers are never allowed to vote for themselves.) This year, I was included among the 22 honorees in the "Corporate" law category, along with some incredibly talented and accomplished lawyers.  I want to thank all of the lawyers across the state who took the time to vote.  Your confidence is humbling (and inspires me to be a better lawyer to meet your estimation!).

[I was also included in the "Young Guns" category again this year, and I'm delighted that some people still consider me young!] 

I hope each of you find meaning and purpose in your work in 2019 and that your efforts are rewarded with great success!


Thursday, December 13, 2018

Lawyers Weekly Covers New NC Bar Specialization


The legal magazine NC Lawyers Weekly has published a great piece about our new Privacy & Data Security Specialty Certification in North Carolina: https://nclawyersweekly.com/2018/12/13/nc-bar-first-in-country-to-offer-privacy-law-certification/ (Thanks to Bill Cresenzo and David Donovan for this excellent coverage.)

Monday, November 19, 2018

The North Carolina State Bar Becomes the First State Bar in the Nation to Certify Privacy and Data Security Law Specialists

Image of stamp bearing the word "Certified"

Today we accomplished something unprecedented, as North Carolina's legal community continues to demonstrate foresight and leadership in the profession.  After almost two years of work, the North Carolina State Bar has recognized ten (10) individuals as Certified Specialists in Privacy and Data Security Law.  The North Carolina State Bar is the first in the United States to certify specialists in this emerging area of law, making these individuals the nation's first state bar certified specialists in the field.  Please join me in congratulating these worthy--and now certified--professionals:
  • Tara Cho of Wyrick Robbins
  • Erin Illman of Bradley Arant Boult & Cummings
  • Alex Pearce of Ellis & Winters
  • Steve Snyder of Bradley Arant Boult & Cummings
  • Karin McGinnis of Moore & Van Allen
  • Elizabeth Spainhour of Brooks Pierce
  • Nathan Standley of Allen & Pinnix
  • Marshall Wall of Cranfill Sumner and Hartzog

Each of them will be publicly recognized at the NC State Bar Specialization Annual Meeting in April 2019.

This milestone was not achieved easily or by accident; it is the product of pioneering work by a number of dedicated individuals over a period of almost two years.  I want to publicly extend a very sincere thanks to the members of the NC State Bar Privacy and Data Security Specialization Committee: 
  • Elizabeth Johnson (Vice-Chair) of Wyrick Robbins
  • Elizabeth Spainhour of Brooks Pierce
  • Karin McGinnis of Moore & Van Allen
  • Nathan Standley of Allen & Pinnix
  • Marshall Wall of Cranfill, Sumner and Hartzog
  • Clark Walton of Reliance Forensics and Alexander Ricks
  • Alicia Gilleskie of Duke University/Duke Health

I appreciate each of them for believing in this concept, contributing their considerable intellects, and dedicating significant time to the effort. 

I also want to thank Alice Neece Mine, Denise Mullen, Brian Oten, and Lanice Heidbrink at the North Carolina State Bar for their tireless work on this project.  When I first discussed the concept with Alice and Denise in the summer of 2016, no bar in the nation had ever contemplated the idea, and it took vision for them to see the potential. 

Shortly after we embarked on this effort in North Carolina, the American Bar Association also recognized the need for a specialization in privacy and data security law, and the ABA was able to move more quickly than we were.  As best I can tell, Alex Pearce of Ellis and Winters (formerly the chief privacy counsel at SAS), Patrick Brown of Lawyers Mutual Insurance, and I are the only three ABA-certified lawyers in North Carolina, and Alex and I are currently the only lawyers in the nation who are certified by both state and national bodies. I expect more to join our ranks soon as lawyers and bars across the nation continue to recognize this unique practice area.

You can learn more about the Privacy and Data Security Law Specialization Certification process here, here, and here.  You can read about the ABA/IAPP specialization here, and about tests that both state and national bodies rely upon, in part, from the International Association of Privacy Professionals here and here.