AG, lawmaker crafting data breach bill

Attorney General Josh Stein is working with a state legislator to put together a bill that would create new requirements for North Carolina companies and government agencies to follow in protecting personal data from security breaches.

The recent Equifax breach debacle and statistics showing that identity theft is on the rise in the Tar Heel State spurred Stein to begin working with state Rep. Jason Saine, a Republican based in Lincoln County, on the pending consumer protection legislation. Stein expects that the bill will be filed when the legislature convenes in May for the short session.

Saine, who works as a public relations and social media manager, chairs the Joint Legislative oversight Committee on Information Technology, which Stein served on when he was a state senator.  

“Last year, two out of three adults in North Carolina were affected” by data breaches, Stein said in an interview. “We want to make sure governmental entities and businesses understand that they have a duty to safeguard people’s information. If they’re collecting data they need to take serious steps to protect it.”

While the bill is a work in progress, Stein said it would create a legal standard for the “reasonable practices” that data collectors must implement to protect personal data. No such requirement currently exists under state law, according to Stein.

The proposal also is expected to have a provision that would require businesses and governmental entities to notify people who have been affected by a breach within a certain amount of time. Stein said he’s considering a deadline of 15 days. The current law states, rather ambiguously, that notification must be made “without reasonable delay,” Stein said.

He added that he and Saine also want all state residents to have the option to request free security freezes on their credit to prevent identity thieves from opening accounts in their names. Freezes can be requested for free online, but Stein said residents also should be able to make the requests by phone or mail.

Stein recently met with Charlotte Chamber of Commerce members, from financial services firms to hospital systems and energy companies, to discuss the data protection bill, which would be the first major update to the state’s identity theft protection laws since they were enacted in 2005.

“I wouldn’t say that there’s been opposition” to the proposal, Stein said. “We want to come up with a proposal that makes the most amount of sense. When we do that the business community will be fine with it and embrace it. This is in everyone’s interest.”