In 2018, the last two U.S. states (Alabama and South Dakota) passed data breach protection laws. Meaning, as of January 2019, all 50 states within the U.S. now have data breach notification laws. California was a pioneer in this space in 2003, as the first state to pass a data breach notification law. North Carolina was one of the first states to follow suit, passing Senate Bill 1048 in 2005, which has since been codified into law as N.C. Gen. Stat §§ 75-61, 75-65.

History of privacy legislation in North Carolina

The 2005 statute defined a breach as the unauthorized acquisition or access of unredacted or unencrypted records of data containing personal information, which could create a material risk of harm to a consumer. Personal information is defined as a person’s first and last name in combination with identifying information. In addition, the first bill required:

• Notification to state consumer protection bureau (a division of the attorney general’s office) for breaches affecting more than 1,000 people.
• Businesses provide notice to the affected persons that there has been a security breach following discovery or notification of the breach without unreasonable delay after discovery.
• The conditions under which a consumer can place a freeze on their credit report.
• Businesses take reasonable measures to protect against unauthorized access or use of consumers’ personal information by using methods to secure and protect sensitive information such as social security numbers.

In 2009, North Carolina’s data breach notification law was amended in some significant ways. First, a new requirement that businesses notify the attorney general anytime a business notifies North Carolina residents of a breach, removing the threshold 1,000-person threshold. Additionally, the following requirements for breach notification were added:

• A description of the incident.
• The type of personal information breached.
• The measures business has taken to prevent and or mitigate further unauthorized access.
• Statement of how consumers can take steps to prevent identity theft.
• a toll-free telephone number where consumers can receive further information.
• The addresses and toll-free numbers of the national credit reporting agencies, U.S. Federal Trade Commission and the North Carolina Attorney General's Office.

Recent large breaches

Two years ago, North Carolina Attorney General Josh Stein released the North Carolina Security Breach Report 2017 that cited 1,022 reported breaches in 2017, which was a 15 percent increase from 2016. The report also stated that 5.3 million North Carolinians were affected as a result of these breaches.

In 2017, North Carolina received $390,814 of the $18 million nationwide settlement with Target over their 2013 data breach.

In 2017, the North Carolina Attorney General's Office reached a settlement with Nationwide Insurance Company over a data breach that was caused by the company failing to apply a critical security patch, which resulted in the unauthorized access of 1.27 million consumers personal information, including social security numbers, drivers license numbers and credit scores.

In late 2018, North Carolina received $3,661,800.27 as part of a nationwide $148 million settlement with Uber over a data breach. In addition, Uber agreed to implement better data security practices and develop better corporate governance policies in order to prevent similar events from occurring in the future.

New amendments

Jan. 8, 2018, North Carolina Rep. Jason Saine, R, and Attorney General Josh Stein, held a joint press conference on proposed measures to protect North Carolinians from security breaches and identity theft.

Though the bill is still being drafted, the senator mentioned that it will contain the following provisions:

• Include new attack methods within the definition of a data breach.
• Eliminate the unreasonable delay language and provide a specific breach notification period to consumers and the Attorney General office of fifteen days (15) days.
• Give consumers the right to initiate free credit freezes at any time to prevent identity theft.
• Consumer credit reporting agencies provide consumers with access to three free credit reports from each consumer reporting agency following a data breach.
• Businesses provide consumers with five (5) years of free credit monitoring following a data breach.
• Require businesses to implement practices and procedures to secure consumer data.
• Require businesses obtain consumers’ consent to prior to obtaining credit reports and or credit scores and a provide a disclosure of the reason for the request; and
• Consumers will have the right to request access to the personal information (credit or non-credit related) a business maintains and the source of such information.

Conclusion

2018 was a privacy-centric year with the EU General Data Protection Regulation going to effect and various other countries updating their data protection bills (China, Vietnam, Brazil). Stateside, we witnessed the passing of CCPA, 23 NYCRR 500, as well the two final U.S. States (Alabama and South Dakota) passing breach notification statutes.

Individuals/consumers are now more informed, concerned and conscious about location and behavioral tracking, data brokers, data breaches and identity theft than ever. I do not expect 2019 to be any different than 2018; in fact, I think the data protection movement may lead to a national data protection bill such as the one proposed by intel.

photo credit: Sky Noir North Carolina State Capitol via photopin (license)