States Propose New Data Breach Legislation
While U.S. senators are pushing for tougher federal data breach laws, two states have proposed legislation of their own.
If North Carolina passes their Act to Strengthen Identity Theft Protections law, they could become one of the strictest jurisdictions for data security in the United States, according to the National Law Review. Regulations in the bill include:
- Ransomware attacks, such as the one that affected 57 million Uber users last year, would fall under this legislation. North Carolina would be the first state to explicitly include ransomware in their data security regulations.
- After an incident is discovered, companies would have only 15 days to notify consumers.
- If a credit reporting agency, such as Equifax, is breached, they will have to provide five years of free credit monitoring to affected North Carolinians. The current standard is a year of free credit monitoring, though many companies are not even making that offer.
South Dakota has also proposed stricter data breach legislation. The State’s Senate Judiciary Committee voted unanimously to advance Attorney General Marty Jackley’s bill, which would require companies to notify South Dakota residents within 60 days of discovery of a breach.
Companies would need to contact the attorney general directly if the beach affected more than 250 residents. Companies that comply with the rules of their primary regulator would be exempted from this requirement, as long as they followed the proper federal procedure.
If you do not live in one of these states, will the new regulations help you? Perhaps not immediately, but if stricter laws are successfully passed in North Carolina and South Dakota, other states may follow suit.