Modifies and adds to Article 2A, Identity Theft Protection Act, of GS Chapter 75.
Amends the definition of security breach set forth in GS 75-61 to define the term to include any incident of unauthorized access to or acquisition of (was, access to and acquisition of) unencrypted and unreacted records or data containing personal information where illegal use of the personal information has occurred or is likely to occur or that creates a material risk of harm to the customer, or of encrypted records or data containing personal information along with the confidential process or key. Adds a new requirements that any determination that illegal use has not occurred or is not reasonably likely to occur or that no material risk of harm is created must be documented and maintained for at least three years.
Amends GS 75-63 regarding the option for a consumer to elect to place a security freeze on the consumer's credit report by request to a consumer reporting agency. Now provides for request by secure internet website (previously did not specify internet) or secure email connection. Requires a nationwide consumer reporting agency which receives a security freeze request to provide the consumer with the option of having the freeze implemented by all consumer reporting agencies that assembly or evaluate information about consumers in the State (previously required the agency to provide a notice that the freeze is limited to that agency). Changes a federal statutory reference. Now requires consumer reporting agencies which assemble or evaluate information about consumers in the State to create and maintain a shared website and toll-free number for consumers to request a security freeze, which request is considered to have been made to all consumer reporting agencies. Makes it the duty of a requested agency to notify all other consumer reporting agencies of that request within three days of receipt. Notification by any method triggers compliance with the statute. Makes conforming changes.
Amends GS 75-63.1 to now prohibit any consumer reporting agency from charging a fee for the placement or removal of a protected consumer security fee (previously allowed a fee of up to $5 for certain requests). Makes conforming changes to GS 65-63 (previously provided for a fee of up to $3 for telephone or mail requests).
Amends GS 75-65 concerning protection from security breaches. Now requires any business that owns or licenses personal information of residents or any business that conducts business in the State that owe or licenses personal information in any form to implement and maintain reasonable security measures and practices, and provide notice to affected persons and the Consumer Protection Division (Division) of the Attorney General's Office within 30 days of any security breach or reasonable belief that a security breach has occurred (previously only required notification of a security breach to the consumer). Allows the Division to request certain documentation. Makes organizational changes. Excludes from personal information electronic identification number or email names or addresses unless it includes any required security code, access code, or password that would allow access to an individual's financial account, and passwords unless the business if aware that the information would permit access to a person's financial account or resources or other personal information (previously did not require business knowledge in the qualification). Establishes a time frame for the required notice to within five days (was, without unreasonable delay) once law enforcement has communicated to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security, Makes further technical and clarifying changes, if applicable. Adds to the criteria for notify to be provided to affected persons electronically, that the business must regularly conduct business with the affected person electronically. Establishes that any person or agency subject to and in compliance with HIPAA (federal law, Health Insurance Portability and Accountability Act) if deemed to be in compliance with the statute. Provide that notice under HIPAA is sufficient notice under the statute. Requires a consumer reporting agency to offer identity theft prevention and mitigation services at no cost for at least 48 hours following notice to the affected person or if the person is subject of a security breach, so long as the person's personal information was held by a consumer reporting agency. In cases where social security numbers are included in the security breach, requires the business to offer credit monitoring services at no cost to specified persons for a period of no less than 24 months through a third party contract. Prohibits a consumer reporting agency from knowingly offering a paid product to prevent unauthorized access or restricting access to a consumer's credit, unless the agency notifies the consumer and provides information on how to request a security freeze.
Amends GS 75-66 regarding the publication of personal information. Deletes the definition of personal information from the statute. Instead, provides information that is excluded from the term, mirroring the exclusions set out in GS 75-65, as amended.
Enacts GS 75-67 to prohibit any person from obtaining, using, or seeking the consumer report or credit score of a consumer in connection with an application for credit without written, verbal, or electronic consent of the consumer, as appropriate depending on the method of the application for credit.
Enacts GS 75-68 to establish a right for consumer to request from credit reporting agencies all information maintained on the consumer, the source of the information maintained, and a list of any person or enemy that information was disclosed to. Makes violations punishable under existing state law, GS 75-1.1 (unfair methods of competition and deceptive trade practice; civil penalties set forth in GS 75-15.2).
Enacts GS 75-69 to provide that federal law governs in cases of conflict with the Article.
Amends GS 14-113.20, which establishes the offense of identity theft (punishable as a Class F or G felony), to modify the definition of identifying information to include health insurance policy numbers, subscriber identification numbers or any other unique identifiers used by health insurers or payers to identify a person, and any information regarding the individual's medical history or condition, medical treatment or diagnosis, or genetic information by a health care professional; removes internet account numbers from the definition.
Status: Ref to the Com on Commerce, if favorable, Rules, Calendar, and Operations of the House (House action) (Apr 22 2019)
Bill H 904 (2019-2020)Summary date: Apr 22 2019 - More information