North Carolina’s lawmakers will consider legislation first introduced by the Attorney General Josh Stein and Representative Jason Saine. The proposed law would redefine the term “data breach” and give companies 30 days to report breaches to consumers.
For healthcare providers, this reduces the HIPAA timeframe, which states that breach notifications must go out within 60 days. According to the proposal, this gives consumers additional time to freeze their credit and take steps to prevent identity theft.
The law extends the definition of a breach to include ransomware attacks – a big change for healthcare providers, who have been targeted by recent hackers.
Consumers gain a number of protections, including the following.
The bill expands consumers’ right to information about the breached data, as follows.
North Carolina hosts the headquarters of many credit card companies and financial institutions and the legislation follows a dramatic rise in breaches throughout the state. According to Health IT Security, 1.9 million North Carolina residents were compromised in 1,047 breaches in 2018. This was a 3.4 percent increase over 2017.
This is the second attempt to tighten privacy laws in the state. If this bill passes, North Carolina would join several other states that have passed similar laws to combat digital thieves. For example, Colorado passed legislation to shorten their breach notification to 30 days in 2017, and Iowa is proposing a 45-day deadline to notify consumers.
On the national front, lobbyists and some Congress members are also calling for more protection for consumers whose data has been compromised. For instance, the Information Technology and Innovation Fund has suggested scrapping the hodge-podge of privacy regulations, such as HIPAA, in favor of more unified federal privacy laws.