North Carolina’s Attorney General Josh Stein and Rep. Jason Saine proposed legislation designed to strengthen the state’s identity theft protection law, targeting prevention and consumer protection boost in the face of breaches.
The most significant future enhancement to the breach prevention section of North Carolina’s identity theft legislation is the addition of ransomware attacks as security breaches which require organizations to “notify both the people affected and the Attorney General’s office. If the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review.”
Moreover, if the proposal will pass, the law will also be improved with the addition of “medical information, genetic information and health insurance account numbers” as new types of protected information.
The new legislation to change breach notification timelines
“Last year, more than 1.9 million North Carolinians were estimated to have been affected by a data breach,” stated Attorney General Stein. “This number is way too high. North Carolina’s laws on this issue are strong – but they need to be even stronger. Rep. Jason Saine and I want to do everything we can to keep people’s personal information safe.”
As further detailed in the “Strengthen North Carolina Identity Theft Protection Act” fact sheet, if the changes to the legislation are passed, organizations will have to provide breach notification within 30 days allowing affected consumers to freeze their credit as an identity theft prevention measure.
The new legislation will also make it possible for people affected by security breaches to “to place and lift a credit freeze on their credit report at any time, for free.”
As detailed in the fact sheet:
A credit freeze will prohibit a thief from using stolen information to open any new credit lines under the victim’s name. Credit agencies will also be required to put in place a simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies without the person having to take any additional action.
Consumer reporting agencies such as Equifax will be required by the new modified law to provide four years of free credit monitoring to all individuals affected if the agency itself is breached. On the other hand, all other businesses will be asked to offer two years of free credit monitoring to all affected parties when social security numbers are also involved.
The legislation update will also clarify the penalties imposed on breached organizations which fail to notify consumers or the Attorney General’s office in a timely fashion, as well as to set up reasonable security procedures prior to the breach incident.
Consumers to gain greater control over their information
If that happens, the new identity theft law businesses will consider that a violation of the Unfair and Deceptive Trade Practices Act has been committed and all the penalties that come with it will also be applied in such an event.
“Over the last year, we have spent numerous hours working with citizen advocates – like AARP, the Attorney General’s Office, and the North Carolina business community, to ensure that this bill will create strong protections for North Carolina’s citizens’ data,” according to Rep. Jason Saine. “We are strongly committed to getting this right, and creating a strong framework for protecting our most personal information.”
In addition, the updates proposed to North Carolina’s legislation will also provide consumers with greater control over their information:
• Consent: A company seeking to obtain or use a person’s credit report or credit score will need the person’s permission and must disclose the reason for seeking access to the information.
• Right to request information: North Carolinians will have the right to request from the consumer reporting agency a listing of the information maintained on him or herself (both credit related and non-credit related information), its source, and a list of any person or entity to which it was disclosed.
Besides announcing the legislation updates, an annual report with information on all data breaches reported to the office of the Attorney General Stein in 2018 was also published as part of the press release.
The report provides detailed information about the 1,057 breaches which affected more than 1,9 million North Carolinians during 2018, a big step down from the 5,3 million individuals impacted by breaches in 2017.
Also, as reported by the Attorney General’s office, “Phishing scams made up 26 percent of all breaches in 2018, up nearly 11 percent since 2017 and 2,650 percent since 2015” while “The 474 hacking breaches reported in 2018 marked an 8 percent decline since 2017. Hacking breaches in 2018 were 1,960 percent higher than a decade ago.”