North Carolina State AG Suggests Stricter Data Breach Notification Laws

North Caroline Attorney General Josh Stein and state agent Jason Saine have presented a bill to modernize data breach notification rules in the state and increase safeguards for state inhabitants after an increase in data breaches affecting North Carolina inhabitants were recorded all through 2017.

The bill, Act to Strengthen Identity Theft Protections, was presented in January 2018 and suggested alterations to state lawmaking that would have made North Carolina breach notification rules some of the toughest in the United States. The January 2018 type of the bill suggested a detailed definition of a breach, modifications to the definition of private information and a maximum of 15 days from the identification of a breach to issue notices to those impacted by a breach.

Attorney General Stein and Rep. Saine introduced a new type of the bill on January 17, 2019. Although some of the suggested modifications have been scaled back, new responsibilities have also been introduced to increase safeguards for state inhabitants.

The updated bill was issued in tandem with the state’s yearly safety breach report for 2018. The report shows that there were 1,057 data breaches affecting state inhabitants in 2018. Those breaches affected 1.9 million state inhabitants. While there was a 63% decline in people impacted by data breaches from 2017, the number of breaches rose 3.4% yearly.

The suggested update to the description of a data breach remains unchanged from the 2018 version of the bill and describes a breach as “Any occurrence of illegal access to or acquisition of somebody’s private information that might harm the individual.” In doing so, the new description widens the description to include ransomware campaigns.

Ransomware is generally used only to extort money from people. Nevertheless, in recent times there has been a rising tendency of joining ransomware with other malware variations such as information stealers, making data theft more usual. Irrespective of the nature of the ransomware attack, the bill states that notices should be sent to allow state inhabitants to make an informed decision concerning the actions that need to be taken to decrease the risk of harm.

The bill also necessitates companies that possess or certify private data to put in place and maintain sensible safety procedures and practices, which should be appropriate to the nature of information collected and maintained. Of note to HIPAA-covered bodies, the description of personal information has been expanded to include genetic information, medical information, and insurance account numbers.

The 2018 version of the bill proposed that breach notices to be issued within 15 days of the detection of a breach. The latest type has seen the timescale for issuing notices changed to within 30 days of identification of a breach.

Any company that suffers a data breach is found to have failed to put in place proper security measures or fails to issue notices within the 30-day deadline will be breaching the Unfair and Deceptive Trade Practices Law and might be issued with a civil monetary penalty.

If the law is passed, state inhabitants will be allowed to place a credit freeze on their credit reports free of charge. Credit organizations will be obligated to put in place “A simple, one-stop shop for shelving and releasing credit reports across all main consumer reporting organizations, without the individual having to take any additional action.”

Firms carrying out business in the state of North Carolina will have to provide breach sufferers with two years of free credit checking facilities should a breach of Social Security numbers happen, and four years of free credit checking facilities for breaches that take place at credit organizations.

Any business that desires to access or use a person’s credit report or credit score will have to get approval from the person in advance and should summarize why access to the information is required. State inhabitants will also be allocated the right to submit a request to a consumer reporting organization for a list of all data the organization maintains, including credit and non-credit related information, and a list of all bodies to which that information has been given to.