Originally in the Lincoln Times-News

January 10, 2018

Lincoln County state Rep. Jason Saine has been working with North Carolina Attorney General Josh Stein on legislation that will strengthen protections against identity theft.

“(Stein’s) liaison and I are friends and we were talking about what the attorney general was working on in casual conversation regarding the Equifax breach,” Saine, a Lincolnton Republican, said. “It became obvious that we could probably work together on something because the attorney general was a member of the (information technology) oversight committee during his time in the Senate … Knowing that tech and security are issues that we’ve worked together on in the past, the AG’s office reached out about working together on some type of legislation. We started this back in October or November, shortly after the announcement of the Equifax breach.”

Equifax, one of the three major credit bureaus, confirmed last year that up to 143 million customer records were breached in a hack over the summer. The legislation to be proposed by Saine is essentially an update to the state’s existing laws regarding identity theft protections.

“Last year, more than 5.3 million North Carolinians were estimated to have been affected by a data breach,” Stein said in a press release issued on Monday. “This number is staggering and unacceptable. North Carolina’s laws on this issue are strong, but they need to be even stronger. Rep. Jason Saine and I are partnering to do something about it.”

The existing law would be updated to include ransomware attacks, where a victim’s information is accessed, blocked and held for ransom.

“This is what happened with the recent incident in Charlotte,” Saine said. “As a result of this legislation, the breached organization must notify both the affected consumers and the attorney general’s office. That will empower the individual and the attorney general’s office to determine the risk of harm, rather than the breached organization, so that’s a shift in the law. By notifying citizens of the breach sooner, they’ll be able to more quickly take action to prepare themselves.”

The new legislation would also include tighter data protection, which would impose a duty for businesses that own or license personal information to implement and maintain reasonable security procedures and practices. In addition, the definition of protected information would be expanded to include medical information and insurance account numbers.

Finally, the potential new legislation would also increase consumer protection following a breach, requiring a breached organization to notify the attorney general’s office of the matter within 15-30 days, although that number is subject to change as the updated laws go through the legislative process. Currently, breached organizations are required to report the matter “within a reasonable timeframe,” which leaves the law up for interpretation.

“Making sure that the consumer is notified in a more timely manner will allow them to freeze their credit across major reporting agencies and then take other preventative measures once we know that identity theft has occurred,” Saine said. “The change in laws would also allow the consumer to have access to three free credit reports that they can monitor and see what’s happening.”

There were over 1,000 data breaches reported to the North Carolina Attorney General’s Office in 2017. Of those, approximately half were hacking breaches, while phishing scams also increased significantly as well. The most commonly stolen information includes full names, dates of birth, Social Security numbers and driver license numbers, according to Stein.

“The sophistication of state actors, foreign states that are trying to penetrate and obtain data and information, has increased,” Saine said. “Part of the boost in breaches is just an increase in cyber warfare. Regardless of the national talk of who did what, we know that foreign governments are trying to obtain our citizens’ data, but there are also just more targets of opportunity. With our use of the internet of things, there’s more opportunity to create havoc through identity theft, breaches and hacks.”

The legislation crafted by Saine and Stein will be introduced in both houses soon and Saine expects to receive bipartisan support once that happens.