NC AG: Classify Ransomware Infection as a Data Breach
January 22, 2019
North Carolina’s Attorney General
Josh Stein and Rep. Jason Saine unveiled legislation to strengthen North
Carolina’s laws to prevent data breaches and to protect affected
Strengthen North Carolina Identity Theft Protection Act
Updates what constitutes a security breach. Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person is a breach. The new definition will now include Ransomware attacks – attacks when personal information is accessed but is not necessarily acquired. As a result, the breached organization must notify both the people affected and the Attorney General’s office. If the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review.
Tighter data protection. Requires business that own or license personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. Additionally, the definition of protected information is updated to include medical information, genetic information and health insurance account numbers.
Increases Consumer Protection After a Breach
Quicker notification. When a person’s personal information has been compromised by a security breach, the entity that was breached must notify the affected person and the Attorney General’s office as soon as possible and no later than 30 days. This quick notification will allow people to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs.
Credit freeze. People will be able to place and lift a credit freeze on their credit report at any time, for free. A credit freeze will prohibit a thief from using stolen information to open any new credit lines under the victim’s name. Credit agencies will also be required to put in place a simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies without the person having to take any additional action.
Credit monitoring. If a security breach occurs at a consumer reporting agency, like Equifax, that agency will have to provide four years of free credit monitoring to those affected. Additionally, if a business experiences a breach, including social security numbers, that business must provide two years of free credit monitoring to those affected.
Clarifies penalties. A business that suffers a breach and failed to maintain reasonable security procedures or failed to provide timely notice will have committed a violation of the Unfair and Deceptive Trade Practices Act.
Provides Greater Control
Consent. A company seeking to obtain or use a person’s credit report or credit score will need the person’s permission and must disclose the reason for seeking access to the information.
Right to request information. North Carolinians will have the right to request from the consumer reporting agency a listing of the information maintained on him or herself (both credit related and non-credit related information), its source, and a list of any person or entity to which it was disclosed
In addition to announcing this legislation, Attorney General Stein
also released an
detailing the data breaches reported to his office in 2018. That
report provides detailed information about the 1,057 data breaches
that affected more than 1.9 million North Carolinians.