Josh Stein was sworn in as North Carolina’s Attorney General in 2017. Before serving as attorney general, Stein served as a state senator (2009–16) and as a senior deputy attorney general (2001-2008) in the North Carolina Department of Justice. Throughout his tenure as attorney general, Stein has made consumer fraud protection a top priority. Specifically, Stein has shown a clear commitment to data privacy and security through his advocacy for strong protection of individuals’ personal information, both in North Carolina and on the national stage. Here, Stein shares his vision for smart data use and protection in North Carolina.
The Privacy Advisor: What are your priorities within the realm of data privacy and security for North Carolina? What regulatory trends do you expect to emerge generally, in 2018 and beyond?
Attorney General Josh Stein: Protecting the people of North Carolina, including their data, is a top priority for me. As we all increasingly live our lives online, people need to be able to trust the technology they’re using. It is my duty to hold companies accountable when they fail to uphold the privacy standards of North Carolinians.
There are a few different ways we’re taking action on that this year. First, I’m serving in a leadership role in several multi-state investigations regarding data breaches. In particular, I’m alarmed when companies hold back information about breaches from their customers. People need to know as soon as possible that their data may be compromised so that they can take action and freeze it.
Second, I’m also working with Representative Jason Saine in the North Carolina General Assembly on legislation to tighten up our data security laws. North Carolina has strong laws on this issue, but they could be improved. Some key tenets of The Act to Strengthen Identity Theft Protections are updating what constitutes a security breach so that ransomware attacks fall under the statutory definition, requiring breach entities to notify my office and affected consumers within 15 days of the breach, and requiring businesses to take appropriate steps to protect a consumer’s personal information so that consumers are better protected on the front end, hopefully preventing a breach from ever occurring.
The Privacy Advisor: On that subject, can you explain the motivation behind co-authoring The Act to Strengthen Identity Theft Protections, the importance of bipartisan cooperation on these issues, and whether you recommend that these sorts of amendments be made to more states’ data breach laws?
Stein: In 2017, there were more than 1,000 security breaches affecting more than 5.3 million North Carolinians. Those numbers are on the rise. While the current laws in North Carolina are strong, Representative Saine and I partnered together to try and make them even stronger with the Act to Strengthen Identity Theft Protections.
Our legislation has a quick notification period. The quick notification period allows consumers to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs.
It is important to note that other states have begun passing legislation to require quicker notification. Colorado just passed a law requiring notification within 30 days, and Alabama, Arizona, Maryland, and Oregon all just passed legislation requiring notification within 45 days.
Another key part is requiring businesses to take reasonable measures to protect personal information so fewer security breaches happen in the first place.
The Privacy Advisor: Recently, you joined a large group of state attorneys general in penning a letter to Facebook CEO Mark Zuckerberg. In it, you demanded answers regarding the company’s privacy policies and practices, stemming from reports of unauthorized third-party use of Facebook users’ personal data. Social media clearly plays a significant role in the day-to-day collection and processing of people’s sensitive information. What rules should be put in place to regulate entities that collect and process so much of this information? What do individual states’ roles look like in tackling this problem?
Stein: Facebook and other social media channels play an important role in our lives. But when people create a Facebook page, they are not trading away their privacy. They have an expectation that the company will guard their information.
Yet, the Facebook/Cambridge Analytica situation occurred and is unacceptable. I’ll continue my work with my colleagues, as well as Facebook and other companies, on this issue.
State attorneys general across the nation are leading the fight to protect citizens from data breaches. Earlier this year, I urged Congress not to preempt state laws in favor of weaker federal laws. In many cases, state laws surrounding data breaches and data security provide greater protection to consumers than federal law does. It is my view that North Carolina is best suited to make decisions about how to protect the people of North Carolina.
The Privacy Advisor: While you have stated that “technology makes our lives easier, more convenient, and helps to foster relationships with loved ones far away,” there were more than 1,000 data breaches reported to your office last year. How do we reconcile the advantages of an increasingly technologically advanced world with the pitfalls that can be associated with data privacy and cybersecurity? Furthermore, how can regulations encourage technological innovation while also protecting those who might be adversely affected?
Stein: It is absolutely true that technology has been a driving force of progress in society. It is also true that some people use technology to take advantage of others. We have to make sure that our protections keep up with the advances of those who seek to harm people. The legislation I’ve proposed on this issue is an example of taking action in a measured way to protect the public.
A big part of that is making sure people know how to keep themselves and their families safe. My office provides tips to help protect North Carolinians from data breaches, while also providing support to those who have already had their privacy violated.
The Privacy Advisor: The European Union’s General Data Protection Regulation has changed the way companies around the world, including those in the U.S., collect and process individuals’ personal information. Some U.S. states, such as California, are showing signs of following suit by passing similar legislation requiring affirmative consent for such processing and other more stringent data requirements. Do you see North Carolina considering this path as well, and do you have any advice for companies that must comply with several data privacy regimes?
AG Josh Stein: I’m always interested in exploring ways to give consumers more control over their information and working with businesses to be transparent in their interactions with their customers. Since technological progress isn’t slowing down, we will all have to work together to better protect people from identity theft and infringements of their privacy.
photo credit: James Jordan via photopin