This article was written for our sponsor, Technology Associates.

In many ways, the Internet is a modern Wild Wild West. It’s largely deregulated, so to an extent, both users and companies are able to do as they please. Of course, along with this “anything-goes” philosophy, there also comes the significant risk of data breaches, largely due to lax federal and state regulations regarding consumer privacy.

Currently, there are no federal laws that apply to all businesses related to consumer data privacy. In other words, if you supply personal information to a company and that information is somehow hacked, the company has no obligation to inform you of the breach. Exceptions to this rule include any businesses that fall under Health Insurance Portability and Accountability Act regulations, as well as financial institutions under the Financial Industry Regulatory Authority and Gramm–Leach–Bliley Act.

Since the federal government still lacks comprehensive regulations, several states have taken matters into their own hands, introducing legislation that would force companies to take responsibility for data breaches that lead to compromised consumer information.

While 47 states have their own varying legislation for data breaches, California is leading the charge in this movement. In 2018, the state enacted and signed the California Consumer Privacy Act, which was enacted and signed into law in 2018, although the legislation didn’t take effect until Jan. 1.

Under the CCPA, businesses are required to disclose any personal information they collect and how it will be used. Additionally, consumers are granted the right to request deletion of information, details on how their information is being used, and the right to prohibit the sale of their information to a third party.

When collecting information on consumers ages 13 to 16, businesses must gain explicit consent, and for consumers under 13, parental consent is required. For many states, this bill will set the tone for future legislation.

“I’m no legal expert, but my guess is that everyone is waiting to see what happens in California,” said Eric Hobbs, CEO of Technology Associates. “They’re going to either copy most of that or wait for something from the federal level to come down because it’s not realistic to have every single state with different data protection standards.”

In North Carolina, proposed House Bill 904 was introduced in April 2019 and has been making its way through the steps of the legislative process since then. The primary purpose of the bill is to protect the personally identifiable information of North Carolina residents, meaning even if the company isn’t located in-state, if a North Carolina resident is affected, it still falls under the umbrella of legislation.

There are several key components to the bill. First, any business that deals with personally identifiable information — of which the bill has amended and outlined in detail — must have reasonable security procedures in place, and failure to do so will result in a fee and potential class action. In the case of a breach, the Attorney General’s office and any users affected must be notified within 30 days of discovery. Additionally, businesses affected by data breaches must offer free credit monitoring to their affected clients or customers.

While previous attempts at this sort of legislation have fallen flat, Hobbs has higher hopes for HB 904.

“It will eventually get pushed further along even though it’s been sitting there for a while,” Hobbs said. “I think whether North Carolina passes its own legislation will depend on what the CCPA does or if there’s eventually a U.S. version of GDPR [the EU’s data breach laws]. I’m guessing that the federal government will get involved soon.”

Hobbs is right. While protections at the state-level are vital, as a greater number of states start enacting legislation, it becomes difficult to keep up with what laws apply to which consumers, making federal involvement a necessity. For Hobbs, the perfect federal model for data breach protection already exists: the EU’s comprehensive General Data Protection Regulation, which features 99 in-depth articles on rules for businesses and rights guaranteed to individuals.

Already, there’s been a greater shift toward accountability on a national level, despite no official legislation being in place.

For example, just a few years ago the massive Jackson Health System in Miami received multiple HIPAA fines after egregious violations, including an employee stealing private records and selling them, the misplacement of hundreds of documents and violating patients’ privacy. Not only did the Jackson Health System not provide timely notifications, but they also had poor security measures in place. In the end, they were fined upwards of $2 million.

As cybersecurity threats become a bigger issue for large companies and small businesses in the United States, the government will likely continue to make examples out of those who allow consumer’s private data to be leaked, whether legislation is in place or not.

“At the end of the day, the state and federal governments are done accepting excuses from a company that exposes sensitive data of their citizens. Businesses need to understand that gone are the days when you could paper over data breaches,” Hobbs said.

Not only does protecting against data breaches help ensure the privacy of consumer information, but it also helps companies avoid facing exorbitant fines — and based on the current trajectory of North Carolina legislation, those fines could also soon translate to additional legal violations.

This article was written for our sponsor, Technology Associates.