Originally published on January 12, 2018 9:22 am
More than half of North Carolinians were affected by personal data breaches in 2017. This month the North Carolina Department of Justice announced that the number of people hit in 2017 was seven times the number affected in 2016.
Attorney General Josh Stein said Monday that he would support a forthcoming bill by Rep. Jason Saine (R-Lincoln). The proposed legislation would bolster consumer protections, include quicker notifications for personal breaches, and require companies to provide to free credit monitoring after a breach happens.
Host Frank Stasio talks with Saine about what his bill would include and what kind of response he has gotten. He also speaks with Laurie Williams, professor of computer science at North Carolina State University.
Rep. Jason Saine (R-Lincoln) on why earlier consumer notification matters:
From a consumer standpoint, [the bill] allows for quicker consumer notification, because one of the things that we know is the sooner you know that there's been a data breach the better it is for a citizen to take steps to protect their data and protect their financials and everything else.
Saine on the little legislation out there requiring consumer protections against data breaches:
North Carolina has some of the better laws. But by and large it's a body of work that really hasn't been addressed from a state legislative standpoint, and really from a national standpoint, as we saw with the Equifax breach or the Uber breach, which took over a year to notify customers. And I, being one of them, obviously am concerned about that. So there's not a lot of work already in this space, and it's something that really does have to be addressed.
Computer scientist Laurie Williams what causes personal data breaches:
Eighty percent of all successful attacks are when a consumer makes a mistake. And so that's what we have to, as a society, become much more suspicious, much less trusting of what we come across, so that we can stop that. From a computer science standpoint, what I tell my own students is, we can't expect to train the whole universe in being secure, so we have to come up with better ways, as computer scientists, to protect the consumers.
Williams on company’s responsibility to notify consumers about breaches:
There's a balance there, and I appreciate the bill, and I appreciate every pressure that software vendors will have to developing more secure software. But the balance between notification that needs to be struck is that you want the person who's been breached to have an opportunity to fix the hole first, because as soon as you notify of the breach, what you're really doing is notifying the attackers.