On January 8, 2018 Attorney General Josh Stein and Representative Jason Saine announced legislation to strengthen protection against identity theft. There are several key items in this legislation that could have a direct impact on businesses here in North Carolina.

Back in February, I wrote a blog post that detailed the need-to-know information regarding North Carolina’s 2017 Security Breach Report. In this original blog post, I reported that more than 1,000 data breaches were reported to the North Carolina Department of Justice in 2017.

Since 2005—when North Carolina law began requiring businesses, state governments, and local governments to report security breaches—there have been nearly 5,000 breaches reported. And those breaches, have impacted more than 14 million residents that call North Carolina home.

While there is a current Identity Theft Protection Act on the books here in North Carolina, it is encouraging that Stein and Saine feel it is time to push businesses, as well as state and local government agencies, to step up their game when it comes to the personal information of NC residents. I couldn’t agree more!

The news release from the North Carolina Department of Justice (NCDOJ) dated January 8, 2018, outlines the proposed legislation, but before we get to those points, it makes sense to first explore what the NCDOJ considers personal information.

What Is “Personal Information”

The DOJ provides more details on its Security Breach Information web page. In it, the DOJ defines Personal Information (PI) as:

Personal information includes an individual’s Social Security number (SSN), employer taxpayer identification number (TIN), driver’s license or state identification number, passport number, checking/saving account number, credit/debit card number, PIN, digital signature, bio-metric data, fingerprints or any number that can be used to access his financial resources.

In addition to the above definition, PI also includes:
An individual’s email name or address, internet account number, internet username or password may be considered a breach if it would permit someone to access financial accounts or resources. Personal information does not include directories available to the public.

Why The Act To Strengthen Identity Theft Protection?

While the NCDOJ already has guidelines around PI and Security Breaches, the proposed legislation will strengthen these protections in several key ways:

Expanded definition of “breach”

The proposal updates what would be considered a ”security breach,” specifically:

Any incident of unauthorized access to, or acquisition of, someone’s personal information is recognized as a breach. The new definition will now include Ransomware attacks – this is when personal information is accessed but is not necessarily acquired.

In the past, Ransomware attacks weren’t considered a breach because it was assumed that while personal information may have been accessed and encrypted, it wasn’t necessarily acquired for other uses by the hacker.  This proposed legislation will change that.

The move towards considering ransomware as a breach isn’t coming only from the state level.  The Federal Office of Civil Rights issued the Ransomware and HIPAA fact sheet that echos this shift:

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.

Increased Responsibility And Expansion Of PI Definition

As part of the Act to Strengthen Identity Theft Protections, the NCDOJ ups the game with respect to a business’s responsibility in protecting PI of NC residents, and also adds Medical Information and Insurance account numbers to the list of protected information.  The legislation would:

Imposes a duty for a business that owns or licenses personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. Additionally, the definition of protected information is updated to include medical information and insurance account numbers.

Reasonable Security Procedures

In addition to the legislation “imposing a duty” on businesses for the protection of Personal/Protected information, the proposal also makes it clear that a business can’t simply plead ignorance to security procedures.  If a business suffers a breach and is found to have not maintained “reasonable security procedures,” each individual affected is granted separate recourse under the Unfair and Deceptive Trade Practices Act.

A business that suffers a breach and failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act, and each person affected by the breach represents a separate and distinct violation of the law.

Faster Notification

While current legislation requires reporting data breaches “without unnecessary delay” (see 75-65 (a)) the proposed legislation would change this to:

When a consumer’s personal information has been compromised by a security breach, the entity that was breached must notify the affected consumer and the Attorney General’s office within 15 days.

Fact Sheet / More Information

For more information, there is a fact sheet published on the Ellis&Winters website unfairtradepracticesnc.com.

The Most Important Takeaways For Your Business

The Act to Strengthen Identity Theft Protections looks like a great move in pushing the responsibility for PI protection down to where it belongs – with the entities that collect, maintain, and use personal information.

Including Ransomware as a breach, expanding the definition of Personal/Protected information, shortening the reporting time period and considering each individual affected by a breach as separate violations, should get the attention of every small business in NC.

At Technology Associates, we frequently see businesses that still believe they can take a reactive stance to their technology – working with ‘a guy’ who they only call when needed (that means after a ransomware infection).  This approach may have worked in the past but with the exponential growth of technology and the collection and use of Personal Information (along with the huge damage that can be caused by a breach), it is time to step up our game collectively and take a more serious stance on security.

If you have a question about your security stance, I welcome the chance to talk.  Call me at 919-459-0109 or drop me an email at ehobbs@technologyassociates.net.