North Carolina does not have a data encryption law per se; instead, it has a personal data breach notification law that gives safe harbor to people who use encryption to protect personal data. Warning: I'm not a lawyer--the following is strictly what I've taken from the various state laws found on-line.
North Carolina does not have a data encryption law per se; instead, it has a personal data breach notification law that gives safe harbor to people who use encryption to protect personal data.
Warning: I'm not a lawyer--the following is strictly what I've taken from the various state laws found on-line.
The Identity Theft Protection Act gives places a lot of emphasis on the protection of Social Security numbers, meriting its own section, "§ 75-62: Social security number protection." Under this section, a company is forbidden from making SSNs public; printing them on anything (exceptions do apply); transmitting them without first using encryption on them; or (obviously) selling them, plus a host of other restrictions. Also, under "§ 75-65: Protection from security breaches," a business is instructed to notify anyone of a data breach--regardless of its format (computerized, paper, or otherwise).
The Identity Theft Protection Act gives places a lot of emphasis on the protection of Social Security numbers, meriting its own section, "§ 75-62: Social security number protection." Under this section, a company is forbidden from making SSNs public; printing them on anything (exceptions do apply); transmitting them without first using encryption on them; or (obviously) selling them, plus a host of other restrictions.
Also, under "§ 75-65: Protection from security breaches," a business is instructed to notify anyone of a data breach--regardless of its format (computerized, paper, or otherwise).
Unlike most states, N.C. does point out what to include in a data breach letter. Under § 75-65(d): A description of the data breach incident in general terms The type of personal information that was breached What the affected business is doing to prevent similar future incidents A telephone number so that clients can call for more information, if one's available Advice for people to review their account statements and monitor their credit
Unlike most states, N.C. does point out what to include in a data breach letter. Under § 75-65(d):
There are several options, depending on availability. Written notice Electronic notice (valid e-mail addresses and permission to be contacted must be in place) Via telephone, assuming phone numbers are available (and the affected person is talked to directly. Can't leave a message with a roommate or family member, I take it to mean) Substitute notice. Only if the cost of notifying people exceeds $250,000 or there's more than 500,000 people to contact, or the business just doesn't have the contact information for all involved (notification to statewide media, e.g.) There is one additional condition. If more than 1,000 North Carolina residents were affected, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies (Equivax et al.) must be notified as well.
There are several options, depending on availability.
There is one additional condition. If more than 1,000 North Carolina residents were affected, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies (Equivax et al.) must be notified as well.
Under "§ 1 539.2C. Damages for identity," it is stated that: Any person whose property or person is injured may sue for civil damages of up to $5,000 but not less than $500 for each incident OR three times the actual damages, whichever is greater. [my emphasis] Of course, there's more (much more) on what you have to do when you've had a breach, so make sure you consult with your legal reps. And maybe looking into getting any identity information protected with encryption software, such as AlertBoot.
Under "§ 1 539.2C. Damages for identity," it is stated that:
Any person whose property or person is injured may sue for civil damages of up to $5,000 but not less than $500 for each incident OR three times the actual damages, whichever is greater. [my emphasis]
Of course, there's more (much more) on what you have to do when you've had a breach, so make sure you consult with your legal reps. And maybe looking into getting any identity information protected with encryption software, such as AlertBoot.
Related Articles and Sites:http://www.ncga.state.nc.us/Sessions/2005/Bills/Senate/HTML/S1048v6.html