Security Breach Information
Security Breach: Your Requirements
The Identity Theft Protection Act requires businesses and state and local government to notify people when there is a security breach involving their personal identifying information. As of July 2019, over 6,500 breaches have been reported impacting over 16 million North Carolina consumers.
What is a Security Breach?
A “security breach” is defined as the unauthorized release of unencrypted or unredacted records or data containing personal information with corresponding names, such as a person’s first initial and last name. The acquisition of encrypted data only is a breach if a confidential process or key needed to unlock the data is also breached.The authorized access of personal information by an employee or agent is not considered a security breach so long as the information is used for a lawful purpose.
Personal information includes: an individual’s Social Security number (SSN), employer taxpayer identification number (TIN), driver’s license or state identification number, passport number, checking/saving account number, credit/debit card number, PIN, digital signature, biometric data, fingerprints or any number that can be used to access his financial resources. An individual’s email name or address, Internet account number, Internet username or password may be considered a breach if it would permit someone to access financial accounts or resources. Personal information does not include directories available to the public.
Who Must Notify?
A business, state or local government agency that owns or licenses records or data with personal information that has been subject to a security breach must notify. A business includes sole proprietorships, partnerships, corporations, associations, charities or any group, however organized. The business must be (1) located in North Carolina or (2) own/license the personal information (in any form) of North Carolina residents. Businesses that keep records/data with the personal information of North Carolina residents on behalf of another company must notify the owner or licensee of a security breach.
Once your business or agency discovers a security breach, you must notify the people affected. The notice must be clear and conspicuous and given without unreasonable delay. Notice can only be delayed at the request of law enforcement if it would harm a criminal investigation or national security.
The Notice Must Include:
- General description of the security breach incident;
- Type of personal information breached;
- General description of your efforts to avoid further unauthorized access to personal information;
- Telephone number where people can call for more information and assistance, if one exists; and
- Advice for people who are affected.
How To Send the Notice
The notice can be mailed, emailed if you have a valid email address and they’ve agreed to receive communications electronically, or given via telephone directly to the affected person. Substitute notice may be given if (1) the cost of providing the notice exceeds $250,000; (2) the number of affected persons is greater than 500,000; or (3) your agency or business does not have the contact information to notify the person in another way. Substitute notice must include posting a notice on your website, emailing affected persons and notifying major statewide media.
Businesses and state and local government agencies must also report security breaches to the Attorney General’s Consumer Protection Division, as well as to the three major consumer reporting agencies.