North Carolina State AG Proposes Stricter Data Breach Notification Laws

North Caroline Attorney General Josh Stein and state representative Jason Saine have introduced a bill to moderize data breach notification laws in the state and increase protections for state residents after an increase in data breaches affecting North Carolina residents was recorded throughout 2017.

The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed amendments to state legislation that would have made North Carolina breach notification laws some of the toughest in the United States. The January 2018 version of the bill proposed an enlarged definition of a breach, alterations to the definition of personal information and a maximum of 15 days from the identification of a breach to issue notifications to those impacted by a breach.

Attorney General Stein and Rep. Saine launched a new version of the bill on January 17, 2019. While some of the proposed amendments have been scaled back, new obligations have also been introduced to enhance protections for state residents.

The updated bill was released in tandem with the state’s annual security breach report for 2018. The report indicates that there were 1,057 data breaches affecting state residents in 2018. Those breaches affected 1.9 million state residents. While there was a 63% drop in individuals impacted by data breaches from 2017, the number of breaches increased 3.4% annually.

The proposed update to the definition of a data breach remains unaltered from the 2018 version of the bill and defines a breach as “Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person.” In doing so, the new definition broadens the definition to include ransomware campaigns.

Ransomware is normally used only to extort money from individuals. However, in recent times there has been an increasing trend of combining ransomware with other malware variants such as information stealers, making data theft more common. Regardless of the nature of the ransomware attack, the bill states that notifications must be sent to allow state residents to make an informed decision about the actions that need to be taken to reduce the risk of damage.

The bill also obligates businesses that own or license personal data to put in place and maintain reasonable security procedures and practices, which must be appropriate to the nature of information gathered and maintained. Of note to HIPAA-covered bodies, the definition of personal information has been expanded to include medical information, genetic information, and insurance account numbers.

The 2018 version of the bill called proposed that breach notifications to be issued within 15 days of the identification of a breach. The latest version has seen the timescale for issuing notifications changed to within 30 days of discovery of a breach.

Any business that suffers a data breach that is found to have failed to put in place appropriate security measures or fails to issue notifications within the 30-day deadline will be breaching the Unfair and Deceptive Trade Practices Act, and could be issued with a civil monetary fine.

If the legislation is enacted, state residents will be permitted to place a credit freeze on their credit reports free of charge. Credit agencies will be obligates to put in place “A simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies, without the person having to take any additional action.”

Companies conducting business in the state of North Carolina will have to provide breach victims with two years of free credit monitoring services should a breach of Social Security numbers occur, and four years of free credit monitoring services for breaches that take place at credit agencies.

Any business that wishes to access or use a person’s credit report or credit score will have to receive consent from the person in advance and must outline why access to the information is needed. State residents will also be allocated the right to submit a request to a consumer reporting agency for a list of all data the agency maintains, including credit and non-credit related information, and a list of all bodies to which that information has been given to.