More than 5.3 million residents of North Carolina were victims of data breaches in 2017 – an escalating trend that has prompted state Attorney General Josh Stein (D) and state Rep. Jason Saine (R) to introduce newly proposed legislation to prevent further incidents and protect the public.
Unveiled on Jan. 8, the bipartisan "Act to Strengthen Identity Theft Protections” updates the state's definition of a data breach, expanding the scope to include ransomware attacks. It also requires that affected companies report any such incident to the public and the AG's office within 15 days.
Additionally, the bill also requires businesses that own or license consumers' personal information to execute reasonable security procedures and practices to protect said data, including medical records and insurance account numbers.
If a company fails to uphold its responsibilities, it will be considered a violation of the Unfair and Deceptive Trade Practices Act. According to a fact sheet detailing the proposed legislation, “each person affected by the breach represents a separate and distinct violation of the law.”
Additionally, the proposed act allows consumers to easily freeze their credit, access free credit reports, and view information collected on them by consumer reporting agencies. If one of these agencies is breached, like Equifax infamously was in 2017, that service would have to offer five years of free credit monitoring to impacted consumers.
The legislation also states that companies looking to obtain a consumer's credit report or score would first need the consumer's permission.
The bill's announcement came as the state released its annual report on data breaches reported to the state AG's office. According to the document, there were 1,022 reported breaches in 2017 – a 15 percent increase over 2016. Of that amount, just over half were caused by malicious hacking.
Phishing scams were responsible for the second largest number of breaches, jumping dramatically from just 1.76 percent in 2015 to 24.27 percent in 2017.
In a press release, Stein said that the findings were “staggering and unacceptable,” adding: “North Carolina's laws on this issue are strong – but they need to be even stronger.”
“As more and more of our daily activities involve digital interactions, ensuring the safety of North Carolina's citizen's data is of critical importance,” said Saine, also in the release. “When there is a breach, we need to ensure that consumers are notified in a timely fashion and that they have the tools they need to protect their personal identity from bad actors.”