On January 8, 2018, the State of North Carolina released its Security Breach Report 2017, which highlights a 15 percent increase in breaches since 2016. At the same time, North Carolina introduced new legislation aimed at reducing the number of data security incidents affecting North Carolina residents. This new legislation, named the Act to Strengthen Identity Theft Practices (ASITP), announced by Representative Jason Saine and Attorney General Josh Stein, attempts to combat the data breach epidemic by expanding North Carolina’s breach notification obligations, while reducing the time businesses have to comply with notification to the affected population and to the North Carolina Attorney General’s Office. If enacted, this new legislation will be one of the most aggressive U.S. breach notification statutes.
North Carolina’s Security Breach Report 2017
In 2017, North Carolina experienced a total of 1,022 data breaches that impacted approximately 5.3 million North Carolina residents. Health care, financial services and insurance businesses accounted for 38 percent, with general businesses making up for just more than half of these data breaches. Almost 75 percent of all breaches resulted from phishing, hacking and unauthorized access, reflecting an overall increase of more than 3,500 percent in reported hacking incidents alone since 2006. Since 2015, phishing incidents increased over 2,300 percent. These numbers emphasize the warning to beware of emails or texts requesting personal information and underscore the need to follow up via telephone to confirm such requests. As a best practice, it is advisable to always transmit personal information via secure methods.
As with all states, not all of North Carolina’s data breaches reported in 2017 resulted from phishing or hacking incidents. Just over 25 percent of data breaches were caused by traditional criminal activity such as computer and data theft, accidental disclosures or logistical failures such as lost shipments. This highlights the importance of best practices, including proper training, oversight, policies and procedures to protect personal information.
Proposed New Legislation
The Fact Sheet concerning the ASITP as published by the North Carolina Attorney General proposes that the AG take a more direct role in the investigation of data breaches closer to their time of discovery, so that it can “determine the risk of harm – not the breached organization.” To accomplish this goal, the ASITP proposes a significantly shorter period of time for an entity to provide notification to the affected population and to the North Carolina Attorney General. Currently, North Carolina’s statute mandates that notification be made to affected individuals and the Attorney General without “unreasonable delay.” Under the ASITP, the new deadline for all notifications would be 15 days following discovery of the data security incident. In addition to being the shortest deadline in the nation, it is important to note that notification vendors typically require 5 business days to process, print and mail notification letters. This deadline may require small to mid-size companies to divert resources from recovering operations to investigation of the incident.
The proposed legislation also seeks to (1) expand the definition of “protected information” to include medical information and insurance account numbers, and (2) penalize those who fail to maintain reasonable security procedures by charging them with a violation under the Unfair and Deceptive Trade Practices Act for each person whose information is breached.
Finally, the ASITP expands the definition of what constitutes a breach to include ransomware, where personal information is accessed but not necessarily acquired, requiring notification where personal information is encrypted by an outside intruder, making North Carolina the first state with a breach notification statute that defines ransomware as unlawful access of personal information. This is certain to increase the number of reportable incidents to residents of North Carolina and the North Carolina Attorney General. It is worth noting that while North Carolina is the first state to include the term “ransomware” in its data breach statute, several states, including Florida, Connecticut, Kansas, Louisiana, and New Jersey, define a breach as unauthorized “access” to personal information, a definition that can encompass a ransomware attack. Additionally, a ransomware attack may be considered a data breach under HIPAA if personal health information is accessed in the attack.
While we await the final format and timeline for this proposed legislation, contact a member of Wilson Elser’s Cybersecurity & Data Privacy practice for more information about how you can defend against cyber-attacks and remain in compliance with the changing legal landscape.
We have prepared and included below a chart of current state notification deadlines for comparison to the new proposed legislation.
Breach Notification Timeline
Time After Discovery of Breach |
Action Required |
10 Calendar Days |
|
15 Calendar Days |
|
14 Business Days |
|
15 Business Days |
|
30 Calendar Days |
|
45 Calendar Days |
|
60 Calendar Days |
|
90 Calendar Days |
|
Most expedient time and without unreasonable delay |
|
As soon as possible |
|
Days After Confirmation of Breach |
Action Required |
45 Calendar Days |
|