North Carolina is in the club
From North Carolina’s breach notification law, which took effect on December 1, 2005:
(f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.
Emphasis added
I have repeatedly said that this sort of central notice is a good idea. I have also repeatedly said that only New York (and later, Maine) required it. I am very happy to stand corrected.
The way I learned of my error illustrates the cooperation among folks interested in this stuff — Beth Givens of privacyrights.org alerted the dataloss folks to a breach that they hadn’t recorded. This was reported to the dataloss mailing list, where I read it. In the referenced article [link to http://www.fayettevillenc.com/article?id=235733 no longer works] was information about the reporting requirement.
For further clarification, does the NC statute require 1,000 people notified (generally) or 1,000 residents of NC who’s information may have been compromised? I did check with Mr. Google but could not get this point clarified. If anyone can assist me, please let me know.
Regards,
v