NC AG: Classify Ransomware Infection as a Data Breach

January 22, 2019

North Carolina’s Attorney General Josh Stein and Rep. Jason Saine unveiled legislation to strengthen North Carolina’s laws to prevent data breaches and to protect affected victims.

“Last year, more than 1.9 million North Carolinians were estimated to have been affected by a data breach,” said Attorney General Stein. “This number is way too high. North Carolina’s laws on this issue are strong – but they need to be even stronger. Rep. Jason Saine and I want to do everything we can to keep people’s personal information safe.”

“Over the last year, we have spent numerous hours working with citizen advocates – like AARP, the Attorney General’s Office, and the North Carolina business community, to ensure that this bill will create strong protections for North Carolina’s citizens’ data,” said Rep. Jason Saine. “We are strongly committed to getting this right, and creating a strong framework for protecting our most personal information.”

Strengthen North Carolina Identity Theft Protection Act

Prevents Breaches

Updates what constitutes a security breach. Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person is a breach. The new definition will now include Ransomware attacks – attacks when personal information is accessed but is not necessarily acquired. As a result, the breached organization must notify both the people affected and the Attorney General’s office. If the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review.

Tighter data protection. Requires business that own or license personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. Additionally, the definition of protected information is updated to include medical information, genetic information and health insurance account numbers.

Increases Consumer Protection After a Breach

Quicker notification. When a person’s personal information has been compromised by a security breach, the entity that was breached must notify the affected person and the Attorney General’s office as soon as possible and no later than 30 days. This quick notification will allow people to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs.

Credit freeze. People will be able to place and lift a credit freeze on their credit report at any time, for free. A credit freeze will prohibit a thief from using stolen information to open any new credit lines under the victim’s name. Credit agencies will also be required to put in place a simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies without the person having to take any additional action.

Credit monitoring. If a security breach occurs at a consumer reporting agency, like Equifax, that agency will have to provide four years of free credit monitoring to those affected. Additionally, if a business experiences a breach, including social security numbers, that business must provide two years of free credit monitoring to those affected.

Clarifies penalties. A business that suffers a breach and failed to maintain reasonable security procedures or failed to provide timely notice will have committed a violation of the Unfair and Deceptive Trade Practices Act.

Provides Greater Control

Consent. A company seeking to obtain or use a person’s credit report or credit score will need the person’s permission and must disclose the reason for seeking access to the information.

Right to request information. North Carolinians will have the right to request from the consumer reporting agency a listing of the information maintained on him or herself (both credit related and non-credit related information), its source, and a list of any person or entity to which it was disclosed

In addition to announcing this legislation, Attorney General Stein also released an annual report detailing the data breaches reported to his office in 2018. That report provides detailed information about the 1,057 data breaches that affected more than 1.9 million North Carolinians.
More information on data breaches in 2018: 

  • Phishing scams made up 26 percent of all breaches in 2018, up nearly 11 percent since 2017 and 2,650 percent since 2015.
  • Accidental release and display breaches increased in 2018, after a steady decline since 2013.
  • The 474 hacking breaches reported in 2018 marked an 8 percent decline since 2017. Hacking breaches in 2018 were 1,960 percent higher than a decade ago.
  • In 2018, more than 1.9 North Carolinians were affected by data breaches, a 63 percent decrease from the 5.3 million North Carolinians affected by data breaches in 2017. In 2017, an estimated 5 million North Carolinians were affected by the Equifax breach, one of the most significant security breaches in American history.
  • More data breach notices were submitted in 2018 than in 2017. The 1,057 data breach notices submitted in 2018 were 3.4 percent higher than the number of notices submitted in 2017.

Terms of Use | Copyright © 2002 - 2019 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement