In a bid to improve data protection measures, North Carolina(NC) has recently witnessed a newly proposed bill centered around consumer data protection.
Proposed by Attorney General Josh Stein and Rep. Jason Saine of NC, the bill focuses on redefining data breaches in the state, its prevention & mitigation.
Along with this, the proposal also highlights that companies need to justify reasons as to why it needs user data.
Increasing ransomware attacks
As ransomware attacks continue to soar around the world, the state of NC has taken precautions and the proposal is a step in that direction.
The bill proposes to classify ransomware attacks as ‘breaches’.
“The new definition will now include Ransomware attacks – attacks when personal information is accessed but is not necessarily acquired. As a result, the breached organization must notify both the people affected and the Attorney General’s office,” stated the fact sheet for the bill.
Furthermore, business entities need to mention their security procedures in order to protect consumer data.
Improved action on breaches
The second section of the bill mentions that breach notifications must be passed to relevant entities within a span of 30 days.
According to the bill, notifications ‘will allow people to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs. Now, the frozen credits will prevent attackers with stolen information from advancing further.
The bill proposes to provide credit freeze services to all citizens. "People will be able to place and lift a credit freeze on their credit report at any time, for free. A credit freeze will prohibit a thief from using stolen information to open any new credit lines under the victim’s name," stated the bill fact sheet.
Moreover, the fact sheet added, "Credit agencies will also be required to put in place a simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies without the person having to take any additional action."
Apart from this, consumer reporting agencies which face a breach must provide four years of credit monitoring, while businesses need to provide two years of monitoring on account of the breach.
In addition, companies failing to incorporate adequate security measures will be penalized and incur a violation under the Unfair and Deceptive Trade Practices Act.
Importance of consent
On the matter of citizens' credit data, the fact sheet states that, "The businesses seeking to obtain or use a person’s credit report or credit score will need the person’s permission and must disclose the reason for seeking access to the information."
Finally, consumers are given priority when it comes to seeking information. The people of NC will now have the right to request what part of their information is used by businesses.