The Privacy Advisor

Josh Stein was sworn in as North Carolina’s Attorney General in 2017. Before serving as attorney general, Stein served as a state senator (2009-2016) and as a senior deputy attorney general (2001-2008) in the North Carolina Department of Justice. Throughout his tenure as attorney general, Stein has made consumer fraud protection a top priority. Specifically, Stein has shown a clear commitment to data privacy and security through his advocacy for strong protection of individuals’ personal information, both in North Carolina and on the national stage. Here, Stein shares his vision for smart data use and protection in North Carolina.

Authors: Divonne Smoyer Kimberly Chow

The Privacy Advisor: What are your priorities within the realm of data privacy and security for North Carolina? What regulatory trends do you expect to emerge generally, in 2018 and beyond?

AG Stein: Protecting the people of North Carolina, including their data, is a top priority for me. As we all increasingly live our lives online, people need to be able to trust the technology they’re using. It is my duty to hold companies accountable when they fail to uphold the privacy standards of North Carolinians. There are a few different ways we’re taking action on that this year. First, I’m serving in a leadership role in several multi-state investigations regarding data breaches. In particular, I’m alarmed when companies hold back information about breaches from their customers. People need to know as soon as possible that their data may be compromised so that they can take action and freeze it.

Second, I’m also working with Representative Jason Saine in the North Carolina General Assembly on legislation to tighten up our data security laws. North Carolina has strong laws on this issue, but they could be improved. Some key tenets of The Act to Strengthen Identity Theft Protections are updating what constitutes a security breach so that ransomware attacks fall under the statutory definition, requiring breach entities to notify my office and affected consumers within 15 days of the breach, and requiring businesses to take appropriate steps to protect a consumer’s personal information so that consumers are better protected on the front end, hopefully preventing a breach from ever occurring.

The Privacy Advisor: On that subject, can you explain the motivation behind co-authoring The Act to Strengthen Identity Theft Protections, the importance of bipartisan cooperation on these issues, and whether you recommend that these sorts of amendments be made to more states’ data breach laws?

AG Stein: In 2017, there were more than 1,000 security breaches affecting more than 5.3 million North Carolinians. Those numbers are on the rise. While the current laws in North Carolina are strong, Representative Saine and I partnered together to try and make them even stronger with the Act to Strengthen Identity Theft Protections. Our legislation has a quick notification period. The quick notification period allows consumers to freeze their credit across all major credit reporting agencies and take other measures to prevent identity theft before it occurs. It is important to note that other states have begun passing legislation to require quicker notification. Colorado just passed a law requiring notification within 30 days, and Alabama, Arizona, Maryland, and Oregon all just passed legislation requiring notification within 45 days. Another key part is requiring businesses to take reasonable measures to protect personal information so fewer security breaches happen in the first place.