Data Privacy Map - North Carolina

Highlights

Covered Entities: Persons or businesses that own or license personal information in any form.

Consumer Notification: Notification must be provided to any North Carolina resident whose unencrypted and unredacted PI is accessed and acquired without authorization.

Regulatory Notification: Notification must be provided to the Consumer Protection Division of the Attorney General’s Office if any North Carolina resident is required to be notified of a breach.

Notification Timeline: Notification must be provided “without unreasonable delay.”

Data Format: Electronic.

Citations: N.C. Gen. Stat. §§ 75-61, 75-65.

More Details

Definitions:

• Breach: An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing PI where illegal use of the PI has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing PI along with the confidential process or key shall constitute a security breach.
• Personal information (PI):
  • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
    • Social security number or employer taxpayer identification number;
    • Driver’s license, state identification card, or passport numbers;
    • Checking or savings account, credit or debit card number, or personal identification (PIN) code;
    • Passwords if such information would provide access to a person’s financial account or resources;
    • Digital signatures;
    • Fingerprints;
    • Biometric data; and
    • Electronic identification number, email names or addresses, Internet account number or Internet identification name, parent’s legal surname before marriage, passwords, or other information only if its use would permit access to a person’s financial account or resources.
• Medical Information: N/A
• Health Insurance Information: N/A

Safe Harbors:

• Encryption: Notification is not required where the potentially impacted PI was encrypted or redacted, so long as the encryption key was not also accessed or acquired.
• Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency.
• Risk of Harm: Notification is not required if illegal use has not and is not reasonably likely to occur, and the breach does not create a material risk of harm to an individual.
• Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Direct Notice:

• Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the integrity of the system.
• Format: The notice must be clear and conspicuous.
• Content: The notice must include a description of the following:
  • The incident in general terms;
  • The type of PI that was subject to the unauthorized access and acquisition;
  • The general act of the entity to protect the PI from further unauthorized access;
  • A telephone number that the person may call for further information and assistance, if one exists; and
  • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
• Method: Written, electronic (for those with valid e-mail addresses and who have consented to receive communications electronically), or telephonic (provided that contact is made directly with the affected persons).

Substitute Notice:

An entity may provide substitute notice if (1) the cost of providing notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available; (2) conspicuous posting on the entity’s webpage, if one is maintained; and (3) notice to statewide media.

Remediation Services:

N/A

Regulatory Notice:

Notification must be provided to the North Carolina Attorney General Office’s Consumer Protection Division if any North Carolina resident is required to be notified of a breach. The notice must include the nature of the breach, then number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. The Attorney General’s website contains a form to be used for notice.

Credit Reporting Agencies Notice:

In the event a business provides notice to more than 1,000 persons at one time, the entity must notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notice.

Third-Party Notice:

Any business that possesses records containing PI of North Carolina residents that the business does not own or license or conducts business in North Carolina that possesses records containing PI that the business does not own or license, must notify the owner or licensee of the information of any security breach immediately following discovery of the breach.

HIPAA:

N/A

Private Action:

No private right of action may be brought by an individual for a violation the statute unless such individual is injured as a result of the violation.

Associated Regulations:

• N.C. Gen. Stat. §§ 53B-1 – 10.
• Session Law 2009-355.