On April 17, 2019, a bipartisan group of North Carolina state representatives introduced a bill that would revamp existing law and require North Carolina businesses to take proactive steps to protect North Carolina residents’ personal information from data breaches. The proposed bill, HB 904, would apply to all businesses in North Carolina and, in addition to the already existing patchwork of federal and state laws, rules, and regulations that apply to specific industries, such as insurance, finance and healthcare. It would impose an affirmative duty that businesses “implement and maintain reasonable security procedures and practices.” In addition, the bill imposes a 30-day notice obligation upon the discovery or “reason to believe” that a breach of personal information has occurred.
But what does “reasonable security procedures and practices” really mean?
The bill states that the reasonable security procedures and practices should be “appropriate to the nature of the personal information and the size, complexity, and capabilities of the business, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
It is notable that drafters included the unauthorized access to personal information, the definition of which is also expanded in the bill. The unauthorized access proviso includes ransomware attacks that encrypt an organization’s data until a ransom is paid, typically in cryptocurrency. This unauthorized access of personal information during a ransomware attack would likely constitute a breach and therefore trigger the 30-day notice obligation. This is a significant addition to current law.
Additionally, the definition of personal information that requires the use of “reasonable security procedures and practices” is expanded and now includes health insurance information and any information regarding a patient’s “medical history or condition.” In this digital age, health records are extremely valuable, and arguably the most desirable information about an individual on the dark web since criminals can use a health record to make fake medical claims, purchase prescriptions or receive treatment under a false name. Since medical information cannot be “canceled” as easily as a credit card number, criminals have a larger window of time in which to exploit the information.
If HB 904 is passed and signed into law, the affirmative duty to maintain and use “reasonable security procedures and practices” could become a significant compliance requirement for your business.
So, what should an organization do now that this legislation has been introduced? Consider creating and implementing reasonable security procedures and practices at your organization even before this bill becomes law. Whether required by law or not, every organization should be proactive about their cybersecurity. For a list of TCDI’s top 10 cybersecurity best practices tips, click here.
If you have any questions or would like to learn more how to protect your business, please feel free to call us 336-232-5826 for a free, no obligation security consultation.
