On January 17, 2019, North Carolina Attorney General Josh Stein and North Carolina Representative Jason Saine announced proposed legislation intended to strengthen the state’s data protection laws.
The existing North Carolina Identity Theft Protection Act (ITPA) is similar to data breach laws in other states, and requires businesses to protect the sensitive information (e.g., social security numbers) of state residents. Businesses must implement policies governing the secure destruction of personal information and train employees accordingly. In the event of a data breach, the ITPA requires notification to impacted individuals without unreasonable delay.
In 2018, Attorney General Stein and Representative Saine introduced legislation to strengthen the ITPA, expanding the definition of a data breach to include a ransomware attack and requiring incident notification within fifteen (15) days. This legislation was not enacted. The 2019 version reflects certain modifications to last year’s proposal. In particular, the new proposed legislation gives entities up to thirty (30) days to report a data breach to those impacted North Carolina residents and the North Carolina Attorney General.
According to a fact sheet, the proposed legislation goes beyond most breach reporting laws by requiring entities that determine an incident did not result in harm to document that determination for review by the North Carolina Attorney General. If enacted, this will bring greater scrutiny to data hacks, ransomware events and other incidents that may not necessarily result in reportable breaches under the federal HIPAA regulations or other state or federal laws.
Attorney General Stein also released a report summarizing the 1,057 data breaches reported to his office last year. According to the report, these breaches impacted more than 1.9 million North Carolina residents, which is a 63% decrease from 2017 when breaches impacted approximately 5.3 million residents. As to the causes of these breaches, the report indicates that phishing schemes comprised 26% of the breaches, with hacking breaches decreasing slightly as compared to 2017.