Stronger protections against data breaches proposed

Posted January 8, 2018 3:50 p.m. EST
Updated January 9, 2018 10:53 a.m. EST

— Attorney General Josh Stein and Rep. Jason Saine, R-Lincoln, unveiled proposed legislation Monday to strengthen North Carolina’s laws to prevent data breaches and to protect victims.

"Last year, more than 5.3 million North Carolinians were estimated to have been affected by a data breach," Stein said at a news conference. "This number is staggering and unacceptable. North Carolina’s laws on this issue are strong, but they need to be even stronger."

The Act to Strengthen Identity Theft Protections would add ransomware attacks as a type of data breach that businesses and government agencies must be reported to the Attorney General's Office and to affected individuals and would add medical information and insurance account numbers to materials businesses and agencies have a duty to protect.

The proposal also would require businesses to get an individual's permission to obtain or use a credit report or credit score and gives individuals the right to request from consumer reporting agencies a list of the personal information maintained, its source and a list of any person or entity to which it was disclosed.

Businesses and agencies would have to disclose a breach within 15 days under the proposal, and any business found to have failed to maintain reasonable security procedures would be found in violation of the Unfair and Deceptive Trade Practices Act. Credit agencies would be required to implement a one-stop system for people to freeze and unfreeze their credit reports across all major consumer reporting agencies.

"As more and more of our daily activities involve digital interactions, ensuring the safety of North Carolina’s citizens' data is of critical importance," Saine said. "When there is a breach, we need to ensure that consumers are notified in a timely fashion and that they have the tools they need to protect their personal identity from bad actors."

Yahoo! was hacked in 2013 but didn't reveal it publicly for three years, and last year said the number of compromised accounts – 3 billion – was triple initial estimates. Uber also waited a year before notifying customers of a data breach

An annual report on data breaches in North Carolina showed more than 1,000 were reported to the Attorney General's Office in 2017.

Hacking accounted for half of the breaches, and the number of hacking-related breaches statewide had more than doubled in two years, according to the report. Breaches that resulted from phishing emails have skyrocketed from 10 in 2015 to 248 last year, accounting for a quarter of last year's total.

Accidental releases of personal information, data theft by employees or contractors and lost or stolen equipment accounted for the other quarter of data breaches in the state last year. The most commonly stolen information includes full names, dates of birth and Social Security, driver's license and credit card numbers.