North Carolina

Data Breach Notification Statue

Highlights

Covered Entities: Persons or businesses that own or license personal information in any form.

Consumer Notification: Notification must be provided to any North Carolina resident whose unencrypted and unredacted PI is accessed and acquired without authorization.

Regulatory Notification: Notification must be provided to the Consumer Protection Division of the Attorney General’s Office if any North Carolina resident is required to be notified of a breach.

Notification Timeline: Notification must be provided “without unreasonable delay.”

Data Format: Electronic and physical.

Citations: N.C. Gen. Stat. §§ 75-61, 75-65.

More Details

Definitions:

  • Breach: An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing PI where illegal use of the PI has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing PI along with the confidential process or key shall constitute a security breach.
  • Personal information (PI):
    • An individual’s first name / first initial and last name in combination with one or more of the following data elements:
      • Social security number or employer taxpayer identification number;
      • Driver’s license, state identification card, or passport numbers;
      • Checking or savings account, credit or debit card number, or personal identification (PIN) code;
      • Passwords if such information would provide access to a person’s financial account or resources;
      • Digital signatures;
      • Fingerprints;
      • Biometric data; and
      • Electronic identification number, email names or addresses, Internet account number or Internet identification name, parent’s legal surname before marriage, passwords, or other information only if its use would permit access to a person’s financial account or resources.
  • Medical Information: N/A
  • Health Insurance Information: N/A

Safe Harbors:

  • Encryption: Notification is not required where the potentially impacted PI was encrypted or redacted, so long as the encryption key was not also accessed or acquired.
  • Good Faith: Notification is not required where the potentially impacted PI was acquired in good faith by an employee or agent, for the purposes of the relevant person, business, or agency.
  • Risk of Harm: Notification is not required if illegal use has not and is not reasonably likely to occur, and the breach does not create a material risk of harm to an individual.
  • Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation.

Direct Notice:

  • Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the integrity of the system.
  • Format: The notice must be clear and conspicuous.
  • Content: The notice must include a description of the following:
    • The incident in general terms;
    • The type of PI that was subject to the unauthorized access and acquisition;
    • The general act of the entity to protect the PI from further unauthorized access;
    • A telephone number that the person may call for further information and assistance, if one exists; and
    • Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
  • Method: Written, electronic (for those with valid e-mail addresses and who have consented to receive communications electronically), or telephonic (provided that contact is made directly with the affected persons).

Substitute Notice:

An entity may provide substitute notice if (1) the cost of providing notice would exceed $250,000, (2) the notification population exceeds 500,000, or (3) the entity does not have sufficient contact information. Substitute notice must include: (1) email notice, where an email address is available; (2) conspicuous posting on the entity’s webpage, if one is maintained; and (3) notice to statewide media.

Remediation Services:

N/A

Regulatory Notice:

Notification must be provided to the North Carolina Attorney General Office’s Consumer Protection Division if any North Carolina resident is required to be notified of a breach. The notice must include the nature of the breach, then number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. The Attorney General’s website contains a form to be used for notice.

Credit Reporting Agencies Notice:

In the event a business provides notice to more than 1,000 persons at one time, the entity must notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notice.

Third-Party Notice:

Any business that possesses records containing PI of North Carolina residents that the business does not own or license or conducts business in North Carolina that possesses records containing PI that the business does not own or license, must notify the owner or licensee of the information of any security breach immediately following discovery of the breach.

HIPAA:

N/A

Private Action:

No private right of action may be brought by an individual for a violation the statute unless such individual is injured as a result of the violation.

Associated Regulations:

  • N.C. Gen. Stat. §§ 53B-1 – 10.
  • Session Law 2009-355.
Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek