Retail giant TJX recently paid $9.75 million to settle an investigation into its handling of a data security breach. From 2005 to 2007, a ring of Ukrainian hackers stole more than 94 million consumer payment records from TJX’s computer system. Government officials claimed that TJX’s safeguards against identity theft and its policies for responding to the security breaches were inadequate.
North Carolina is one of more than 40 states that has a law requiring a business that maintains its customers’ personal information to follow specific procedures if there is a security breach. On July 27, 2009, Governor Perdue signed into law an even stricter version of this security breach statute. Businesses should carefully evaluate the risk of a security breach, safeguard their systems against a security breach, take steps to mitigate the damage a breach causes, and consult legal counsel promptly if a breach occurs.
What is “personal information”? Under the North Carolina statute, personal information is a person’s name along with any number or information that could be useful in accessing the person’s financial resources. Examples of identifying information include social security numbers, drivers license numbers, credit card numbers, and employer taxpayer identification numbers.
What is a “security breach”? A security breach occurs when a business stores its customers’ personal information, and an unauthorized person accesses or acquires that information. The most commonly reported instance of a security breach in North Carolina is the theft of an unencrypted laptop containing customers’ personal information.
What steps must a company take in response to a security breach? Ultimately, the business may have to notify all its affected customers, all the consumer reporting agencies, and the North Carolina Attorney General’s Office. The statute provides guidelines regarding the form and contents of the notice. Additionally, the statute provides a few exceptions to these requirements, such as an exemption for certain financial institutions subject to the Gramm-Leach-Bliley Act.
What is the penalty for failing to comply? If an individual in North Carolina is injured by a business’s failing to comply with the statute, the affected individual may sue the business for unfair trade practices under G.S. 75-1.1, which could entitle the individual to recover treble damages and attorney fees. Security breaches tend to affect large numbers of customers simultaneously, so a business that fails to comply with the statute could face a large number of lawsuits. Additionally, the North Carolina Attorney General can levy fines against the business for its failure to comply with the statute.
What should your business do now? Businesses should review their electronic data security safeguards, draft a short policy detailing the business’s response plan if a breach occurs, and appoint a person familiar with the statute and who has consulted with legal counsel to be responsible for monitoring the safeguards and overseeing the policy.
If you would like to discuss these steps, or if you have any other questions about North Carolina’s security breach statute, please contact Steve Hunting or Will Cannon.
Stephen R. Hunting
William B. Cannon