In 2017, more than 5.3 million residents of North Carolina were reported to be victims of breaches of private data. In response to this alarming figure, a new data breach notification bill has been introduced in North Carolina in an attempt to the problems that arise in the aftermath of a data breach.
Attorney General Josh Stein and state Representative Jason Saine were prompted to introduce the Act to Strengthen Identity Theft Protections in response to the huge number of people affected by data breaches. If passed, North Carolina will have some of the toughest data breach notification laws in the United States.
The Act, introduced on January 8, 2018, was designed to strengthen protections for state residents. The Act updates the definitions of personal information and security breaches, and decreases the allowable time to notify state residents of a breach of their personal information. It is hoped that these changes will help state residents if they are affected by data breaches in the future.
The definition of personal information has been expanded to include insurance account numbers and medical information. It is currently unclear whether the new law will apply to organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) or if they will be deemed to be in compliance with state laws if they comply with HIPAA.
The definition of a breach has been updated to include any breach of personal information, including ransomware attacks, even if the personal information of state residents is only encrypted by ransomware and no data theft has occurred.
The Act requires companies to issue notifications to breach victims within 15 days of the discovery of a breach. This is a quarter of the time required by HIPAA’s Breach Notification Rule, which stands at 60 days. Following a breach, many people are at high risk of becoming victims of identity fraud. The sooner that people know about a breach, the sooner that action can be taken to secure their accounts and limit potential harm from the exposure of their personal information.
In addition to notifying those affected, breaches must also be reported to the Attorney General’s office. This will empower the attorney general to determine the risk of harm from the breach, rather than leaving it to the breached entity to decide themselves how harmful a breach was.
The Act also requires businesses to implement and maintain reasonable security protections to keep data secure. The nature of those protections should be appropriate to the sensitivity of the data concerned. The failure to implement sufficient controls would be deemed a violation of the Unfair and Deceptive Trade Practices Act, and each person whose data has been exposed would represent “a separate and distinct violation of the law.”
The Act hopes to give residents of North Carolina the power to place a credit freeze on their accounts free of charge if they have potentially been affected by a breach. The Act requires credit reporting agencies “to put in place a simple, one-stop shop for freezing and unfreezing a consumer’s credit reports.” This would allow consumers to quickly and easily freeze and unfreeze credit across all major consumer reporting agencies.
A new provision has also been included to cover credit reference and consumer reporting agencies. If those agencies experience a breach they will be required to provide five years credit monitoring services to consumers free of charge by ways of reparations.