North Carolina Attorney General Josh Stein and state Representative Jason Saine introduced the Act to Strengthen Identity Theft Protections on January 8, 2018. The introduction of this new data breach notification bill was a response to the rising number personal information breaches in 2017. Over 5.3 million North Carolina residents were affected by data breaches last year.
If the new bill passes, North Carolina residents will have a stronger protection against personal data breaches. The Act will update the definitions of key concepts such as personal information and security breaches. It would also shorten the allowable time for notifying state residents in case of a breach of their personal information.
Here are some details of the updates to the new data breach notification bill:
· The Act expands the personal information definition to include medical information and insurance account numbers. There’s no clear understanding yet if the new law will apply to all organizations covered by the HIPAA or if HIPAA-compliant organizations are deemed compliant with this new state law.
· A breach, in the Act’s updated definition, includes any breach of personal information. A ransomware attack is considered a breach even if only encryption of personal information occurred and there’s no data theft.
· When a breach of personal information occurs, the Act requires notification of breach victims within 15 days of breach discovery. Faster notifications allow victims to take rapid action to protect their accounts and limit harm of their personal information.
· The Attorney General’s office must be notified of the breach as well. This gives power to the attorney general to determine the risk and harm caused by the breach.
· The Act will also require businesses to maintain reasonable security protections to secure personal data. Failure to implement this rule will be deemed a violation of the Unfair and Deceptive Trade Practices Act.
· The Act requires a free offer of credit freeze on North Carolina residents’ accounts in case of a breach. Credit reporting agencies will need to set up one-stop shops for freezing and unfreezing consumer credit reports. In case credit and consumer reporting agencies experience a breach, the Act will require them to provide five years of credit monitoring services to consumers for free.