Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.
Will South Dakota Become No. 49?
The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.”
Many of the definitions in the South Dakota bill follow mainstream provisions in other states. “Breach of system security,” for instance, is limited to “unauthorized acquisition” (as opposed to unauthorized access) of unencrypted computerized data or encrypted data where the decryption key is also acquired by an unauthorized person. “Information holder” includes “any person or business that conducts business in the state” and owns or retains “personal or protected information” of South Dakota residents. “Personal information” includes first name/first initial and last name in combination with: (1) social security number; (2) driver license number/other unique ID created or collected by a government; (3) financial account number, in combination with an access code/routing number; (4) health information as defined in HIPAA (45 C.F.R. § 160.103); employee ID numbers, in combination with an access code or biometric data. “Protected information” includes: (1) “a user name or email address, in combination with a password, security question answer, or other information that permits access to an online account” and (2) financial account number, in combination with a “required security code, access code or password that permits access to a person’s financial account.” It is not clear why South Dakota is considering separate definitions of “personal” and “protected” information – or why the “financial account number” definitions within these two sub-sections differ.
The bill authorizes the Attorney General to “prosecute each failure to disclose under the provisions of this Act as a deceptive act or practice under § 37-24-6,” and to bring a civil action seeking a maximum penalty of $10,000 “per day per violation.” The Attorney General also may recover attorney’s fees and costs associated with bringing such an enforcement action.
Will North Carolina Expand Its Existing Data Security Law in Big Ways?
North Carolina Attorney General Josh Stein and State Representative Jason Saine have announced their intention to introduce an “Act to Strengthen Identity Theft Protections” during the General Assembly’s May 2018 session. At the same news conference, Attorney General Stein announced that his office has opened an investigation into Uber’s recent disclosure of a 2016 data breach.
An accompanying Fact Sheet outlines a number of proposed changes to existing North Carolina law. One big change is a proposed amendment to the definition of “security breach” – to include “unauthorized access to or acquisition of . . . personal information.” Substituting “or” for “and” (which appears in the current definition) is intended to bring ransomware attacks within the definition of “security breach.” Like North Carolina’s current statute, a number of states limit their “breach” definitions to “unauthorized access and acquisition” of protected information.
North Carolina would become just the fifth state (along with Connecticut, Florida, New Jersey, Rhode Island and the Commonwealth of Puerto Rico) to include “unauthorized access” as a standalone form of breach. If enacted, this change would be consistent with 2016 guidance issued by the U.S. Department of Health & Human Services, stating that OCR presumes that a ransomware attack triggers “breach” notification obligations under HIPAA.
The North Carolina proposal also would impose a 15-day deadline to notify the North Carolina Attorney General and impacted North Carolina residents of any “security breach,” making it one of the shortest notification deadlines for any type of protected data in any state. North Carolina also would join 12 states that set specific notification deadlines (Delaware, the “First State,” will be the thirteenth to set a specific notification deadline when its amended law takes effect in April 2018).
The North Carolina proposal also follows a recent trend of creating an obligation to maintain “reasonable security procedures and practices” that exists independently of the breach notification requirement. Currently, at least thirteen states have similar requirements, with Delaware set to become the fourteenth state to impose such in April 2018. North Carolina also would follow another recent trend by adding medical information and insurance account numbers to the types of protected personal information.
The violation of either the obligation to maintain reasonable security procedures and practices or to provide timely notification of a “security breach” will constitute a violation of the Unfair and Deceptive Trade Practices Act. A separate and distinct violation will arise as to each person affected by a breach. The remedies available under the North Carolina Deceptive Trade Practices Act bear noting. The Attorney General may seek civil penalties of up to $5,000 per violation, with continuing conduct constituting a separate violation per week. In addition, any person injured as a result of the violation of the Act may maintain a private right of action, in which they will be entitled to treble damages and may be awarded attorney’s fees and costs.
North Carolina residents also would become entitled to three, free credit reports from each consumer reporting agency, and would have the right to place and lift credit freezes at any time, for free. Expressly using the Equifax breach as an example, the Fact Sheet notes that any consumer reporting agency that suffers a breach will be required to provide five years of free credit monitoring to affected persons.
Attorney General Stein also released an annual report detailing 1,022 data breaches (impacting more than 5.3 million North Carolinians) reported to his office in 2017. Among the key findings:
- Hacking breaches accounted for about half of all breaches this year, nearly doubling from five years ago
- Since 2006, reports of hacking have increased by more than 3,500 percent
- Phishing scams also increased in 2017, from 1.76 percent to 24 percent
- The most commonly stolen information includes full names, dates of birth and Social Security, driver license, credit card numbers.