Healthcare Information Security

Cybersecurity News

NC Data Breach Legislation Accounts for Ransomware Attacks

North Carolina introduced stronger data breach legislation that includes ransomware attacks in its definition of what constitutes a breach.

ransomware attack state data breach legislation

Source: Thinkstock

By Elizabeth Snell

- Following an increase in reported state data breaches in 2017, North Carolina’s attorney general and a state representative introduced data breach legislation to better protect individuals.

The updated Act to Strengthen Identity Theft Protections updates what constitutes a security breach and allows for tighter data protection, according to a fact sheet from the Attorney General’s office.

“Last year, more than 5.3 million North Carolinians were estimated to have been affected by a data breach,” Attorney General Josh Stein said in a statement. “This number is staggering and unacceptable. North Carolina’s laws on this issue are strong – but they need to be even stronger. Rep. Jason Saine and I are partnering to do something about it.”

The definition of a data breach now includes ransomware attacks, which “are when personal information is accessed but is not necessarily acquired,” the fact sheet explains.

“As a result, the breached organization must notify both the affected consumer(s) and the Attorney General’s office,” the fact sheet continues. “This will empower the affected person and the Attorney General’s Office to determine the risk of harm – not the breached organization.”

Business that that own or license personal information are also required to implement and maintain reasonable security procedures and practices.

Medical information and insurance account numbers are now included in the definition of protected information.

The updated legislation also requires that a breached entity notify affected consumers and the Attorney General’s office within 15 days.

Consumers will also be able to place and lift a credit freeze on their credit report for free and have access to three free credit reports from each consumer reporting agency. Any credit reporting agencies, such as Equifax, that experience a breach will need to provide five years of complimentary credit monitoring.

“A business that suffers a breach and failed to maintain reasonable security procedures will have committed a violation of the Unfair and Deceptive Trade Practices Act and each person affected by the breach represents a separate and distinct violation of the law,” the fact sheet stated. 

Greater consumer control was also stressed in the recent legislation. Individuals must grant permission for a company to obtain or use their credit report or credit score.

Additionally, consumers have the right to request what information a consumer reporting agency maintains. This includes credit and non-credit related data.

“As more and more of our daily activities involve digital interactions, ensuring the safety of North Carolina’s citizen’s data is of critical importance,” said Saine. “When there is a breach, we need to ensure that consumers are notified in a timely fashion and that they have the tools they need to protect their personal identity from bad actors.”

There were 1,022 data breaches reported to the attorney general’s office in 2017, according to a North Carolina data breach report. Half of those breaches were caused by hacking, with hacking incidents increasing by more than 3,500 percent since 2006.

Phishing scams also accounted for 24 percent of all reported breaches in 2017, the report showed. This is a 1.76 percent increase from 2015.

After hacking and phishing scams, the most common breaches reported to the state attorney general’s office in 2017 were accidental release or display of information and stolen computers and equipment.

General business was the sector that experienced the most data breaches in North Carolina, the report showed. That industry accounted for 536 breaches, followed by financial services and insurance (268 incidents), healthcare (117), and education (55).

“Security breaches put North Carolina consumers at risk of identity theft and financial fraud,” the report concluded. “Data security can be a challenging task for many businesses as more companies rely on larger amounts of data and as hackers become increasingly sophisticated. But protecting consumers’ sensitive, personal information must be a top priority for all organizations.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...