You may have seen news reports this year about large-scale customer data breaches at companies like Home Depot, Target, eBay, and P.F. Chang’s. Many times the affected company waits to announce the data breach to the public, fearing bad press and future customer distrust. What many people don’t know is that the law in most states, including North Carolina, protects consumers against companies that fail to adequately protect their personal data.
According to a report released this month by research company Navigant, it takes corporations an average of 56 days to announce a data breach after discovering it. The information stolen by hackers often includes bank information, customer names, and customer addresses, and within weeks the victims see large unknown charges on their credit cards. This lengthy amount of time gives criminals ample opportunity to either use the customer information for illegal purchases, or sell the information on the black market. There were over 320 major breaches in the last year affecting well over 6 billion personal records, and the sluggish response time exacerbates the pain felt by consumers.
Recently, Kentucky became the 47th state to pass a data breach notification law, and Florida recently updated its existing rules to shore up consumer protection. And with widespread publication of data breaches, Congress, the Federal Trade Commission, and State Attorney Generals are starting to take notice.
North Carolina in particular passed legislation back in 2005 that requires organizations that own customer data to report breaches to affected consumers and to the North Carolina Attorney General’s Office “without unreasonable delay.” If a company simply stores customer data and does not own it, the business must inform customers immediately of a data breach.
North Carolina law even outlines the exact type of notice the company must send to consumers. The notification must include a description of the data stolen, a description of the incident, what steps the business is taking to protect against further hacker intrusions, and even toll-free numbers for major credit reporting agencies.
If a North Carolina business fails to uphold their obligations under the state’s data protection law and a consumer suffers from a financial loss, that consumer has the right to file suit against the business to recoup their losses.