In 2018, the last two states (Alabama and South Dakota) passed data breach laws. This means that as of January 2019, all 50 states now have a data breach notification laws requiring businesses to report data breaches affecting their organization. Similarly, a number of states (like New York did for financial companies) are beginning to pass laws that require security testing and a minimum baseline of cybersecurity controls for certain organizations. As a penetration testing firm located in Charlotte, North Carolina, we decided to write a blog on North Carolina’s specific laws and discuss whether there are any North Carolina penetration testing requirements that you need to be aware of.
North Carolina Data Breach Notification
Senate Bill 1048 – 2005
In 2005, North Carolina passed the Identity Theft Protection Act which defines a data breach as the unauthorized acquisition or access of unredacted or unencrypted records of data containing personal information, which could create a material risk of harm to a consumer. Under the 2005 statute, organizations are required to notify the state consumer protection bureau for breaches affecting more than 1,000 people. In addition to the state consumer protection bureau, businesses are required to notify the affected users and allow them to place a freeze on their credit report. Finally, the business itself must take “reasonable” measures to protect against unauthorized access in the future.
In 2009, the NC data breach notification law was amended. The new amendment removed the 1,000 person threshold, meaning organizations must notify the attorney general of any data breach. Additionally, more details are required for the notification including a description of the incident, the type of data that was breached, and the measures the organization has taken to prevent it from happening again.
2019 Forecasted Changes
On January 17, 2019, NC Attorney General Josh Stein held a press conference announcing a plan to introduce more stringent data breach legislation. This new bill is expected to be introduced this year,and is expected to receive bipartisan support given the strong public interest in protecting the personal data of North Carolinians. The new legislation, if approved, will require organizations to report the data breach within 30 days, and more importantly, the act will state that any business that suffers a data breach while failing to maintain reasonable security measures has committed a violation of North Carolina’s Unfair and Deceptive Trade Practice Act (UDTPA).
North Carolina Penetration Testing Requirements
Although there is not a direct requirement to conduct penetration testing for a company in the state of North Carolina, the newly proposed changes to the state breach notification laws means that any data breach could have a significant impact. Specifically, given that any breach will result in a mandatory notification, this could have severe impacts on an organization’s reputation. Additionally, there are direct financial impacts such as offering credit monitoring services and any fines levied by the state.
Under the current data breach notification law, organizations are required to implement controls to protect the sensitive information they possess. The best way to prove an organization is doing their due diligence when it comes to protecting this information to perform annual penetration testing. Besides simply demonstrating that you take security seriously, it’s one of the best ways to understand the level of risk your organization faces and evaluate the effectiveness of any security controls you currently have in place. During a penetration test, a trained engineer will emulate the real-world attacks you are likely to face. Can an attacker access the information you are protecting, and if so, what steps can you take to prevent it?
The Advantages of a North Carolina Penetration Testing Firm
As a company in North Carolina, you do not necessarily need to find a penetration testing firm that is based out of North Carolina. At this time, and in the proposed legislation, there is no such thing as a “North Carolina certified tester.” However, choosing a firm in your area does have some specific advantages. First, by choosing a North Carolina firm, travel costs are significantly reduced or eliminated altogether. Depending on the type of penetration test you are looking for, an engineer may have to travel to your organization to perform the test. Additionally, by choosing a local firm, it is easier to have the results of any testing performed delivered in-person. This allows us to come onsite, walk through the findings in person, making sure you fully understand the risk of identified vulnerabilities, and talk through the best way to mitigate the risk. Finally, with a local security firm, we are able to pop over for quick visits, if they become necessary, during follow-ups or when you’re looking at a new project.