North Carolina to Make Ransomware Attack Disclosure a Must
A new legislation that has been announced by North Carolina’s Attorney General Josh Stein and Rep. Jason Saine would soon make ransomware attack disclosure mandatory in North Carolina.
The proposed legislation, which is designed to strengthen North Carolina’s identity theft protection law, includes ransomware attacks as security breaches which would require organizations in the state to notify people as well as the Attorney General’s office.
The Strengthen North Carolina Identity Theft Protection Act states, “Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person is a breach. The new definition will now include Ransomware attacks – attacks when personal information is accessed but is not necessarily acquired. As a result, the breached organization must notify both the people affected and the Attorney General’s office. If the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review.”
In an official news release Attorney General Josh Stein says, “Last year, more than 1.9 million North Carolinians were estimated to have been affected by a data breach. This number is way too high. North Carolina’s laws on this issue are strong – but they need to be even stronger. Rep. Jason Saine and I want to do everything we can to keep people’s personal information safe.”
The new legislation would also require “…businesses that own or license personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach.” It also updates the definition of protected information to include medical information, genetic information and health insurance account numbers.
The new North Carolina legislation would seek to change timelines for breach notifications. It says that whenever there is a breach of personal information, the breached entity would need to notify the affected person and the Attorney General’s office within 30 days, thereby allowing people to freeze their credit across credit reporting agencies and also to take steps to prevent identity theft.
The new legislation would allow people “to place and lift a credit freeze on their credit report at any time, for free.” Thus, hackers won’t be able to use stolen data to open new credit lines under the affected person’s name. The legislation would also require credit agencies to “put in place a simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies without the person having to take any additional action.”
As per the new legislation, consumer reporting agencies (like Equifax) would need to provide four years of free credit monitoring to affected people. Similarly, when a business experiences a breach impacting social security numbers, the affected people must be provided with two years of free credit monitoring. Clarifying penalties, the legislation states that a business that “…suffers a breach and failed to maintain reasonable security procedures or failed to provide timely notice will have committed a violation of the Unfair and Deceptive Trade Practices Act.”
A major highlight of the new legislation proposed in North Carolina is that it would provide consumers with greater control over their information. It would require any company that seeks to obtain a person’s credit report or credit score to get the person’s permission and also to disclose the reason for seeking access to the data. Similarly, people in North Carolina would have “the right to request from the consumer reporting agency a listing of the information maintained on him or herself (both credit related and non-credit related information), its source, and a list of any person or entity to which it was disclosed.”
“Over the last year, we have spent numerous hours working with citizen advocates – like AARP, the Attorney General’s Office, and the North Carolina business community, to ensure that this bill will create strong protections for North Carolina’s citizens’ data. We are strongly committed to getting this right, and creating a strong framework for protecting our most personal information,” says Rep. Jason Saine.
Attorney General Stein has also released an annual report that details all the data breaches (1,057 data breaches impacting over 1.9 million people) which have been reported to his office in 2018.