North Carolina Data Breach Law Amended . . .

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

North Carolina’s data breach notification law has been amended to add to the information that must be included in a breach notice.

Session Law 2009-355 (S.B. 1017) provides that breach notices must include the toll-free numbers and addresses for the major consumer reporting agencies and the toll-free numbers, addresses, and website addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office. The notices must also include a statement that the notified persons can obtain information from these sources about preventing identity theft.

Businesses providing notice to consumers of data security breaches must also notify the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of affected consumers, steps taken to investigate the breach, steps taken to prevent a future breach, and information about the timing, distribution, and content of the notice.

The updated statute, which took effect October 1, 2009, will appear at CCH Privacy Law in Marketing ¶30,500.

. . . California Data Breach Amendment Sent to Governor

A bill that would require California security breach notifications to be written in plain language and to contain certain specified information was sent to Governor Arnold Schwarzenegger on September 11, 2009.

Senate Bill 20 would amend the state's data breach notification law to require notifications to include contact information regarding the breach, the types of information breached, and the date of the breach. The bill also would provide that a security breach notification may include other specified information, at the discretion of the entity issuing the notification.

Notice to Attorney General

Under the proposed amendments, any agency, person, or business required to provide a security breach notification under existing law to more than 500 California residents as a result of a single breach would have to submit a sample copy of the notification electronically to the Attorney General.

The bill also would amend the substitute notice provisions of California's security breach notification law to require that an entity providing substitute notice also provide notice to the Office of Privacy Protection within the State and Consumer Services Agency.

The current version of the statute appears at CCH Privacy Law in Marketing ¶30,500.