State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents.

The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims.

Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents.

The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows there were 1,057 data breaches affecting state residents in 2018. Those breaches impacted 1.9 million state residents. While there was a 63% decrease in individuals affected by data breaches from 2017, the number of breaches increased 3.4% year over year.

The proposed update to the definition of a data breach remains unchanged from the 2018 version of the bill and defines a breach as “Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person.” As such, the new definition broadens the definition to include ransomware attacks.

Ransomware is typically used only to extort money from victims. However, in recent months there has been a growing trend of combining ransomware with other malware variants such as information stealers, making data theft more likely. Regardless of the nature of the ransomware attack, the bill requires notifications to be issued to allow state residents to make an informed decision about the actions that need to be taken to reduce the risk of harm.

The bill also requires businesses that own or license personal information to implement and maintain reasonable security procedures and practices, which must be appropriate to the nature of information collected and maintained. Of note to HIPAA-covered entities, the definition of personal information has been expanded to include medical information, genetic information, and insurance account numbers.

The 2018 version of the bill called for breach notifications to be issued within 15 days of the discovery of a breach. The latest incarnation has seen the timescale for issuing notifications changed to within 30 days of discovery of a breach.

Any business that experiences a data breach that is found to have failed to implement appropriate security measures or fails to issue notifications within the 30-day deadline will be in violation of the Unfair and Deceptive Trade Practices Act, and could be issued with a civil monetary penalty.

If the legislation is passed, state residents will be allowed to place a credit freeze on their credit reports free of charge. Credit agencies will be required to put in place “A simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies, without the person having to take any additional action.”

Companies doing business in the state of North Carolina will be required to provide breach victims with 2 years of free credit monitoring services in the event of a breach of Social Security numbers, and four years of free credit monitoring services for breaches at credit agencies.

Any business that wants to access or use a person’s credit report or credit score will be required to obtain consent from the person in advance and must explain why access to the information is required. State residents will also be given the right to submit a request to a consumer reporting agency for a list of all information the agency maintains, including credit and non-credit related information, and a list of all entities to which that information has been disclosed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.