If you’ve been reading our amazing blog content and whitepaper on breach notification laws in the US and worldwide, you know there’s often a hidden loophole in the legalese. The big issue — at least for data security nerds — is whether the data security law considers mere unauthorized access of personally identifiable information (PII) to be worthy of a notification.
This was a small legal point until something called ransomware came along.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
You have heard of ransomware, right?
It’s that low-tech, but deadly malware that accesses data and encrypts it. To get the data back, the victim has to send a couple of bitcoins to the digital extortionists.
But at the US state level, the difference between access alone and access and acquisition — the legal verbiage for copying — in a notification law determines whether the breach is to be reported to local authorities.
Based on my own research, I could only find a few states for which a ransomware attack would have to be reported locally. I should add that even for states that allow for just unauthorized access of PII, there’s often an additional “harm threshold” to the consumer—financial or credit risk, for example— that would have to be met, and so would rule out a pure ransomware attack in which the data wasn’t copied.
After factoring this in, I found only three states for which a ransomware attack ipso facto — I finally get to use that phrase! — would require a notification: New Jersey, Connecticut, and Virginia.
North Carolina: Laboratory of Democracy!
But wait, a legislator in the great state of North Carolina along with the attorney general last month proposed a change to the statutory language defining a breach.
This tweak moves NC from a state that considers a breach to be unauthorized access and acquisition — see section 75-61 (14) of its statutes — to unauthorized access or acquisition.
Now NC joins the aforementioned club for which ransomware attacks will by themselves force companies to notify authorities and consumers.
The new law will also change the time window in which the data breach will have to be reported after discovery. Searching through a huge PDF table of state breach laws, I can say most if not all states ask that a breach be reported “without unreasonable delay.”
Obviously, these words can be subject to interpretation. The proposed NC law instead sets the time limit to just 15 days.
I’m not aware of any other state that has a specific deadline.
The new law also adds consumer-friendly language that makes credit freezes — remember the outcry after Equifax — free upon request. Up to five years of credit monitoring will also be free of charge.
The law is supposed to tighten the rules on fines as well.
We’ll have to wait for the legislation to be reviewed and approved before we have the final legal details.
We’ll keep you posted.
North Carolina Has Lots of Breaches
On looking at their 2017 annual breach report produced by their Department of Justice, I was surprised to learn that over 1000 breaches were reported in this state alone.
That’s an incredibly large number. For comparison purposes, take a peek at California’s breach report for the years 2012- 2015. The incident counts are dramatically smaller— 178 in 2015.
I’m not sure what explains the difference. But perhaps NC clearly has lots of law-abiding businesses, especially consumer-facing ones holding PII.
By the way, the current NC law covers an extensive list of identifiers, not only the usual social security, driver’s license, and account numbers, but also PINs, online passwords, digital signatures, and email addresses. This broad PII definition may have something to do with the NC data breach reporting spike we’re seeing.
In any case, if you combine their generous list of PII and the newer breach notification rules, then you’ll have to admit that NC has upped its digital security game and may even be number one, moving past the formidable California and its tough breach law.
And of course, go Wolfpack.
What to be a legal eagle amongst your IT security peers when it comes to breach notification laws and ransomware? Download our comprehensive white paper on this fascinating subject!
Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.