A recent Security Breach Report published by the North Carolina Attorney General’s Office provides a snapshot of the various data security threats currently riling the state’s public and private sectors. Since 2006, the year North Carolina businesses and government entities became statutorily obligated to report breaches to the Attorney General’s Office, reported data breaches have skyrocketed from 86 to over one thousand. In turn, the number of affected consumers has increased ten-fold from 500,000 to well over 5 million during that same period. Surges in hacking breaches and phishing schemes targeting North Carolina businesses have driven these aggregate increases. This troubling trend has persisted despite AG Josh Stein’s ongoing commitment to protecting the state’s consumers. In 2017 alone, AG Stein secured settlements with Nationwide and Target after their widely publicized data security lapses. AG Stein has also assumed a leading role in a multi-state investigation into Equifax’s staggering data breach in 2017. Yet, it remained clear that regulators lacked the enforcement tools to successfully thwart the rise in security threats and buck the trend of the past decade.
Enter Representative Jason Saine who, in tandem with AG Stein, has foreshadowed impending legislation, entitled an “Act to Strengthen Identity Theft Protections.” Draft legislation has not yet been introduced in the North Carolina House, but a recently released fact sheet describes the three consumer protection thrusts of the forthcoming bill.
First, the bill will aim to reduce the number of data breaches by imposing stricter duties on businesses that own or license personal information. Businesses will be required to implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information collected from consumers. This sort of minimum-security mandate parallels tactics employed in other states, like California. Any breached business that failed to implement the articulated procedures will have committed a violation of the state’s Unfair and Deceptive Trade Practices Act.
Second, the bill will yield increased consumer protection after a data breach by, among other things: 1) requiring breached entities to notify both the affected consumer and the AG’s office with fifteen days; 2) empowering consumers with the ability to place and lift a freeze on their credit reports for free, at any time; 3) authorizing consumers whose personal information has been compromised to have obtain to three free credit reports from each consumer credit reporting agency that compiles and maintains files on consumers on a nationwide basis; and 4) requiring consumer credit reporting agencies to provide five years of free credit monitoring to affected consumers after any breach. North Carolina, of course, is not the first state to set its sights on the major consumer credit reporting agencies. Since Equifax’s 2017 breach, demanding free credit reports and credit monitoring services has become a flavor of the month for regulators.
Third, and finally, the bill will provide greater consumer transparency. Any company seeking to use or maintain a consumer’s credit report or score must disclose its reasons for seeking access to the information and obtain the consumer’s informed consent. Additionally, the bill will vest a consumer with the right to request from consumer credit reporting agencies a listing of the information maintained on him or herself, its source, and a list of any person or entity to which the was disclosed.
We will monitor new legislation in North Carolina and provide an update on the finer points of the bill after it is introduced.