State Attorney General Josh Stein, already a leader of the national investigation involving the Equifax security breach, on Monday announced a probe of a widescale Uber data breach.

Stein, a Democrat, made the announcement at a joint press conference with state Rep. Jason Saine, R-Lincoln. Saine said he plans to introduce a bill in the special session that starts Wednesday to toughen state laws targeting identity theft.

Stein also released the North Carolina Security Breach Report 2017, the first from the state Department of Justice. It found 1,022 breaches last year — a 15 percent increase from 2016 — affecting 5.3 million North Carolinians. That represents two out of three adults.

Since 2005 more than 14.2 million North Carolina residents have been victimized in 4,945 security breaches. Hacking accounts for 50 percent of all unauthorized data access, and increased 3,500 percent since 2006.

Stein told Carolina Journal after the press conference North Carolina has sound identity theft laws, but must enforce them. Saine’s bill “will be a gold standard piece of legislation across the entire country.”

Stein would not specify how much it might cost to enforce provisions in the bill.

“All entities out there need to be constantly vigilant about what technology exists that the thieves can exploit to steal our information, and they need to be one step ahead,” Stein said. “That’s just a cost of doing business, whether it’s the government or the private sector.”

During the press conference he said a security breach at Uber, the app-based transportation company, exposed personal information of 57 million drivers and riders.

Stein sent a demand letter to Uber for information about the cyber crime, saying he would take legal action if necessary.

Stein is on the executive committee of 48 state attorneys general investigating the Equifax breach that occurred last year from May to July. That case accounted for many of the more than 5 million North Carolinians victimized last year by data breaches. The Equifax breach affected 143 million Americans.

“That work is ongoing, and I will take whatever legal action is appropriate” against the company, Stein said. He has sent letters to Equifax demanding more information on how the unauthorized intrusion occurred, and what the company is doing to protect affected consumers.

He sent letters to Experian and TransUnion, the other two major credit reporting bureaus, seeking information on their security processes, and how they plan to protect consumers’ private information.

North Carolina law requires all entities experiencing a breach to notify affected consumers and DOJ. But the language is ambiguous, stating notification must be made “within a reasonable amount of time.” Saine’s bill requires notification within 15 days of a breach.

Equifax waited 40 days after learning of its breach to notify consumers. Uber waited more than a year.

CJ earlier questioned the “reasonable time” language in reporting on a state Department of Health and Human Services data breach, and asked whether state agencies were notifying victims promptly. There were 250 data breaches among state agencies last year, a record.

“These delays are unacceptable. Every day a consumer is unaware of a breach is another day that a criminal can be accessing and using your personal information to take out credit in your name, and ruin your good credit standing,” Stein said.

Saine said his legislation still was being drafted at press time. But he said its provisions include:

  • Redefining data breach to include new attack methods.
  • Requiring businesses to maintain reasonable security procedures and practices for consumer data.
  • Allowing consumers to put a free credit freeze on their credit report at any time to prohibit a thief from using stolen information.
  • Providing access to three free credit reports from each consumer reporting agency after a breach.
  • Requiring consumer reporting agencies to provide five years of free credit monitoring to victims of a breach.

Under the legislation, any company experiencing a data breach that did not maintain reasonable security procedures would violate the Unfair and Deceptive Trade Practices Act. Each victim would represent a separate violation.  

Doug Dickerson, state director of AARP North Carolina, said Saine’s bill is long overdue. Cyber thieves are increasingly targeting senior citizens because they tend to have more money in more accounts than young people, and aren’t as savvy about protecting their data.