State AG Suggests Tougher Data Breach Notification Laws in North Carolina

January 23, 2019


After an upsurge in data breaches affecting North Carolina inhabitants in 2017, state Attorney General Josh Stein and state representative Jason Saine presented a bill to update data breach notification rules in North Carolina and increase protections for state inhabitants.

The bill, Act to Strengthen Identity Theft Protections, was presented in January 2018 and suggested changes to state laws that would have made North Carolina breach notification laws some of the strictest in the country. The January 2018 version of the bill suggested an extension of the definition of a breach, modifications to the definition of personal information, and a maximum of 15 days from the detection of a breach to issue notifications to breach sufferers.

Attorney General Stein and Rep. Saine disclosed a modified version of the bill on January 17, 2019. While some of the suggested updates have been scaled back, new requirements have also been introduced to enhance protections for state inhabitants.

The updated bill coincides with the release of the state’s annual safety breach report for 2018. The report demonstrates there were 1,057 data breaches affecting state inhabitants in 2018. Those breaches impacted 1.9 million state inhabitants. While there was a 63% reduction in people affected by data breaches from 2017, the number of breaches enhanced 3.4% year over year.

The suggested update to the definition of a data breach remains unchanged from the 2018 version of the bill and describes a breach as “Any incident of illegal access to or acquisition of somebody’s private information that may harm the person.” As such, the new definition widens the definition to include ransomware attacks.

Ransomware is usually used only to extort money from sufferers. Nevertheless, in recent months there has been a growing tendency of joining ransomware with other malware variations such as information stealers, making data theft more likely. Irrespective of the nature of the ransomware attack, the bill requires notifications to be issued to allow state inhabitants to make an informed decision concerning the actions that need to be taken to decrease the risk of harm.

The bill also requires companies that own or license personal information to implement and maintain reasonable safety procedures and practices, which should be appropriate to the nature of information collected and maintained. Of note to HIPAA-covered units, the definition of personal information has been expanded to include medical information, genetic information, and insurance account numbers.

The 2018 form of the bill called for breach notifications to be issued within 15 days of the finding of a breach. The latest incarnation has seen the timetable for issuing notifications altered to within 30 days of the finding of a breach.

Any company that suffered a data breach that is noticed to have failed to implement proper safety measures or fails to issue notifications within the 30-day limit will be in violation of the Unfair and Deceptive Trade Practices Act and might be issued with a civil monetary penalty.

If the law is passed, state inhabitants will be allowed to place a credit freeze on their credit reports free. Credit organizations will be required to put in place “A simple, one-stop shop for freezing and unfreezing credit reports across all main consumer reporting organizations, without the person having to take any additional action.”

Firms doing business in the state of North Carolina will be required to provide breach sufferers with 2 years of free credit monitoring facilities in the event of a breach of Social Security numbers, and four years of free credit monitoring facilities for breaches at credit organizations.

Any company that wants to access or use a person’s credit report or credit score will be required to get approval from the person in advance and should explain why access to the information is needed. State inhabitants will also be given the entitlement to submit a request to a consumer reporting organization for a list of all information the organization maintains, including credit and non-credit related information, and a list of all units to which that information has been disclosed.