North Carolina Introduces New Data Breach Legislation

Written by: Richard Sheinis, Esq.

On January 8, 2018, North Carolina Attorney General Josh Stein, and State Representative Jason Saine, proposed new data breach legislation entitled, “Act to Strengthen Identity Theft Protections” to update the current North Carolina data breach law. This legislation is in response to the recent data breaches at Equifax and Uber, the latter breach having been allegedly hidden by Uber for several months.

While this legislation has several appropriate and reasonable provisions, such as requiring businesses to have reasonable security procedures to protect consumers’ personal information, this post will address two ill-considered and unrealistic requirements of the proposed legislation.

First, the new legislation requires a business to notify the Attorney General’s Office and affected consumers within fifteen (15) days of discovery of a security breach. Having handled well over 100 data breaches, I can tell you that it will be almost impossible for well-meaning businesses to meet this deadline in any breach that involves an appreciable number of affected individuals. Determining the extent of the computer breach, identifying affected individuals, obtaining up to date contact information for these individuals, potentially setting up credit monitoring, and preparing and sending notification letters is logistically next to impossible to accomplish within fifteen (15) days. In an overreaction to prior breaches, the Legislature is setting up thousands of North Carolina businesses to violate this law. I would be interested in knowing how many data breaches the authors of this legislation have ever been responsible for handling. The authors of the legislation need to remember that businesses which are “hacked” are victims of crime themselves. Unfortunately, this legislation treats businesses as the criminal, no matter their efforts to protect against hackers.

The second major problem is that ransomware is included as a security breach requiring notification of the Attorney General and affected consumers. The justification for this requirement is that it will allow the affected person and the Attorney General’s office to determine the risk of harm, rather than leaving this determination up to the breached business.

Ransomware encrypts information in the possession of the affected business, making the information useless to everyone, including the hacker. The hacker does not access, visualize, or acquire the information. Therefore, the very definition of ransomware means that the information cannot be used to harm the affected individuals. If there is other malware that “piggy backs” on the ransomware, then the breach is taken outside the definition of ransomware and can be evaluated as a security breach on its own terms. All the logistics mentioned above are complicated when ransomware is used, thereby making it even more difficult to complete the required notifications within fifteen (15) days.

While it is appropriate to protect the citizens of our State, it is unfortunate that these aspects of the legislation are an overreaction. The legislation perpetuates the misperception that a hacked business is a criminal because it was hacked, rather than being the victim of a crime, and that the only victims are the affected consumers. Hopefully, these aspects of the legislation will be revised before becoming law.