February 21, 2018
While some may be wringing their hands over members of the legislature who just can’t seem to get along, North Carolinians have reason to hope that bipartisanship is not a thing of the past. On Jan. 8, 2018, Democratic Atty. Gen. Josh Stein and Republican State Rep. Jason Saine said they are working together to draft legislation designed to strengthen North Carolina’s laws on data breaches. If passed, the measure would have a considerable impact on how employers handle their employees’ and customers’ sensitive information.
The Underlying Problem
The Stein-Saine announcement followed release of an annual report showing that the number of North Carolinians estimated to have been affected by data breaches grew by 15 percent from 2016 to 2017. “As more and more of our daily activities involve digital interactions, ensuring the safety of North Carolina’s citizens’ data is of critical importance,” said Saine. In the wake of the infamous and staggering Equifax data breach, which exposed the sensitive personal information of an estimated 143-million Americans, it’s not hard to guess why data security has become a top priority for Saine and Stein.
But cyberattacks are no longer solely the problem of the Targets and Ubers of the world, both of which were also hit by high-profile data breaches. Cybercrime has become a comprehensive business, striking institutions of all sizes – including small to medium businesses – and in a myriad of different industries. But just because these attacks don’t discriminate based on the size of a business doesn’t mean a breach won’t cost you. If your security is compromised, you are looking at regulatory fines, legal fees, consulting fees, notification fees, and liability, to say nothing of the interruption to normal operations, theft of any intellectual property, and reputational damages that could result.
The working title of the proposed Stein-Saine legislation is “Act to Strengthen Identity Theft Protections,” and it’s set to be introduced in May. While the public hasn’t yet seen a draft of the bill, the two authors have released a Fact Sheet outlining the measure. Here are the highlights for employers:
- Imposition of an affirmative duty to implement and maintain reasonable security procedures and practices.
- Consumer notification within 15 days from when a consumer’s or employee’s personal/protected information has been compromised by a security breach.
- A new definition of “security breach” that will include unauthorized access to or acquisition of personal information. This will cover ransomware attacks where information is accessed, but not necessarily acquired.
- An updated definition of “protected information” that will include medical information and insurance account numbers.
- A provision stating that businesses who fail to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act.
- This gives rise to a private cause of action for the affected employee or consumer. The successful claimant is entitled to treble damages and attorneys’ fees.
Perhaps the most notable of these measures are the tight, 15-day reporting window and the requirement to establish “reasonable security procedures and practices” or else face a claim for unfair and deceptive trade practices.
Fifteen days may seem like plenty of time for notification, but this likely includes identifying the breach and amassing enough information so that when affected individuals are informed, businesses can report on the extent of the damage and remedial measures. All of this takes time, and the short window makes business’s security infrastructure all the more important.
For example, a common time frame for addressing a data breach today would be about 60 days from breach to discovery; eight days from discovery to containment; 40 days to complete a forensic investigation; and 41 days from discovery to notification. The proposed 15-day window tightens that time frame significantly, particularly if Stein and Saine intend to tie the window to the date of the breach rather than the date of discovery.
Then there’s this talk of establishing “reasonable security procedures and practices.” What are those? Although the information about the upcoming bill does not clarify what measures will qualify as sufficiently “reasonable,” it is a good idea to get started on reviewing and improving protocols rather than awaiting the draft with bated breath and then scrambling in May to comply.