publications full of ideas

Proposed Changes To NC Identity Theft Protection Act

What Do Businesses Need To Know?


The year was 2005. The iPhone was still two years away. Facebook was still a niche product. Tweeting was a birds-only activity. And North Carolina was one of the first states in the union to enact a data breach notification statute. The North Carolina Identity Theft Protection Act (ITPA) imposes data protection obligations that have now become standard in most states’ data breach notification statutes.

ITPA mandates that businesses safeguard the personal information of their customers and clients. “Publishing” or failing to safeguard the personally identifiable information (PII) of North Carolina residents could potentially violate the state’s Unfair and Deceptive Trade Practices Act. The violator would be liable for heavy damages and attorneys’ fees. The North Carolina Attorney General was also given separate ITPA enforcement powers.

Among other provisions, ITPA requires that businesses:

  • Protect social security numbers;
  • Dispose of records in a manner that protects sensitive information;
  • Institute policies to protect data, including employee training; and
  • Notify affected North Carolina residents in the event of a data breach.

In the years following ITPA’s enactment, virtually all states have passed similar legislation. For its part, the North Carolina General Assembly seemed content to allow the ITPA to remain unchanged. That state of affairs may be coming to an end.

Following a series of high-profile breaches in 2017, state lawmakers have signaled an inclination to take a tougher stance in the bipartisan Act to Strengthen Identity Theft Practices (ASITP). If ASITP becomes law, North Carolina will have some of the most stringent data protection laws in the nation.

ASITP stemmed from some alarming statistics contained in the Attorney General’s annual report. Attorney General Josh Stein noted that in 2017:

  • 1,022 data breaches affected 5.3 million state residents;
  • Hacking accounted for half of those breaches, a proportion that had doubled in five years;
  • The reports of hacking had increased by more than 3,500 percent; and
  • Phishing scams had also increased.

In light of these figures, ASITP sponsor Rep. Jason Saine stressed the need to provide consumers with timely information and the tools to protect themselves. To this end, ASITP proposes two additional requirements.

First, ASITP requires speedier notification to affected residents and regulators. ITPA’s only requirement is that notification be made without “unreasonable delay.” ASITP, however, would require notification within 15 days of discovery of the breach.

While 15 days may seem ample, affected business will find it to be aggressive. Discovery of the breach, which starts the clock, is only the first step in the breach response process. In order to provide a fully informed notification, the affected business will need to investigate the nature and extent of the incident. It should also consult with legal counsel regarding its obligations and potential exposure. It will have to retain experts and notification/remediation services (through counsel if possible, so as to protect legal privilege). Depending on available coverage, it may have insurer-related obligations as well.

Given the complex nature and large number of tasks to be undertaken in the wake of a breach, a 15-day notice period could prove to be a very tight window. It is particularly tight for businesses that have not adequately prepared for a breach. At a minimum, businesses should have anticipated the possibility of a data breach and drawn up contingency plans. Full incident response plans are even better. And ideally, those incident response plans should have been periodically tested in so-called “table top” exercises.

Second, ASITP specifies that a breached business that failed to maintain “reasonable security procedures” will be deemed to have violated the Unfair and Deceptive Trade Practices Act. Moreover, each person affected by the breach would constitute a separate and distinct violation of the Act. Note that “reasonable security procedures”, like beauty, are often in the eye of the beholder. This is another reason why data security policies and contingency planning, preferably with assistance of counsel, should be adopted and undertaken before the business experiences a breach. Being able to point to adequate and up-to-date security policies and planning will be helpful in showing that the business maintained “reasonable security practices.”

Given ASITP’s aggressive timetables and significant potential penalties, businesses should regularly review their security practices and procedures to mitigate legal and technical risk to the maximum extent possible. This is indeed an area where an ounce of prevention will be worth a pound of cure.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or Mike may be reached at 919.783.2851 or

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Terminating Employment: Best Practices to Navigate the Termination Minefield


How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update


Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.

Poyner Spruill's Hobbs leading client relations presentation at UNC School of Law's Festival of Legal Learning


RALEIGH, N.C. — Poyner Spruill’s Brandi Hobbs will again be a featured speaker in the UNC School of Law’s Festival of Legal Learning. The two-day event offers attendees the chance to earn up to 12 CLE credits and will take place Friday and Saturday, Feb. 8-9, at The William & Ida Friday Continuing Education Center in Chapel Hill.

Twenty attorneys at Poyner Spruill honored in 2019 Super Lawyers list


RALEIGH, N.C. — Poyner Spruill LLP is pleased to announce 16 attorneys at the firm have been selected to the 2019 North Carolina Super Lawyers list. No more than 5 percent of the lawyers in North Carolina are selected.

Venturing into the Land of OZ: An Opportunity Zone Conference


Hear from experts and innovators on all aspects of Opportunity Zones, the community development incentive brought about by the Tax Cuts and Jobs Act of 2017. Our agenda includes topics on current issues and best practices for the Opportunity Zones program.