North Carolina Data Breach Notification Statute Summary

Without unreasonable delay.

Yes – notify the Consumer Protection Division of the Attorney General’s Office. Other requirements for mortgage licensees if any resident is notified.

Subject Entities

Applies to individuals, businesses, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law.

Definition of  Personal Information

First name or first initial and last name, in combination with one or more of the following:

• Social Security number or employer taxpayer identification number;
• Driver’s license, state identification card, or passport numbers;
• Checking or savings account, credit or debit card number, or personal identification (PIN) code;
• Passwords if such info would provide access to a person’s financial account or resources;
• Digital signatures;
• Fingerprints;
• Biometric data; and
• Electronic identification number, email names or addresses, Internet account number or Internet identification name, parent’s legal surname before marriage, passwords, or other information only if its use would permit access to a person’s financial account or resources.

Definition of Breach

Unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer, excluding certain good faith acquisitions.

Type of Data Covered

Electronic, paper, or other form.

Encryption Safe Harbor

Statute does not apply to encrypted or redacted information if the encryption key was not accessed or acquired.

Risk of Harm Analysis

Notification is not required if illegal use has not and is not reasonably likely to occur, and the breach does not create a material risk of harm to an individual.

Consumer Notice Requirements

Timing:  Must be made without unreasonable delay, consistent with the legitimate needs of law enforcement, and with any necessary measures to determine sufficient contact information, determine the scope of the breach, and to restore the reasonable integrity, security, and confidentiality of the system.

Content: Notice must be clear and conspicuous and include: 

• A description of the incident in general terms; 
• A description of the type of personal information involved; 
• A description of the general acts of the covered entity to protect the information from further unauthorized access; 
• A telephone number for the entity that affected individuals can call for further information and assistance, if one exists;
• Advice directing the individual to stay vigilant by reviewing account statements and monitoring free credit reports; 
• Toll free number an address for the major credit reporting agencies;
• Toll-free number, address, and website address for the FTC and the Attorney General’s Office; and 
• A statement that the person can obtain information from these sources about identify theft.

Method:  Written notice, telephone notice if direct contact is made with the affected residents, or electronic notice to residents with a valid email address who agreed to receive communications electronically and if consistent with E-SIGN. Substitute notice is also available under certain circumstances.  

Substitute Notice Requirements

Substitute notice available if the cost of providing notice would exceed $250,000, the affected class to be notified exceeds 500,000, or, if the entity does not have sufficient contact information or consent to satisfy the other methods of consent or is unable to identify particular affected persons.

Substitute notice must consist of all the following: 

• Email notice when the entity has electronic mail addresses for the subject residents;
• Conspicuous posting of the notice on the entity’s Webpage, if it maintains one; and
• Notification to major statewide media.

Delayed Notice Requirements

Notification may be delayed if law enforcement determines that the notification will impede a criminal investigation, or jeopardize homeland or national security and makes the request in writing or the covered entity documents the request contemporaneously in writing, including the name of the officer and agency.

Government Notice Requirements

Must notify the Attorney General Office’s Consumer Protection Division without unreasonable delay. Must include the nature of the breach, number of consumers affected, steps taken to investigate and to prevent a similar breach in the future, and information regarding the timing, distribution and content of consumer notices.

Mortgage licensees must notify the Commissioner of the North Carolina Banking Commission within one business day of providing notice. N.C. Admin Code 3M.0402.

Third Party Notice Requirements

If personal information is maintained on behalf of another entity, the entity must be notified immediately following discovery of a breach.

Consumer Reporting Agency Obligations

If more than 1,000 residents are notified, the entity must also notify all nationwide credit reporting agencies without unreasonable delay as to the timing, distribution, and content of consumer notices. 

Potential Penalties

Violations may result in criminal or civil penalties.

Related Regulations

N.C. Admin Code 3M.0402 (requiring certain mortgage companies to provide notification to the Office of the Commissioner of Banks in the event of a breach).

N.C. Gen. Stat. §143-800 (prohibiting state agencies and local governments from making ransom payments).