North Carolina Data Breach Laws: Reporting Requirements

Story by Bill Haber / December 28, 2017

North Carolina businesses that suffer a data breach must notify affected NC residents by mail, phone, or email as soon as possible. If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, other means of notification can be used (e.g., public service announcements). If a breach impacts more than 1,000 people, all credit-reporting agencies must be informed. Regardless of how many people a breach affects, it must be reported to the state attorney general.

Definition of Protected Information Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes + mother’s maiden name, electronic signature, unique biometric data (including voice print), computer passwords; includes paper copies
Who Is Subject to Law? Any person or business conducting business in the state who licenses or owns PI
Notification of Consumers? Yes, unless determination of no harm by business
By what means? Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies; specific info must be included in notice
Substitute Notice Threshold? If cost of notice >$250,000 or involves >500k residents
Notification of authorities / regulators required? Yes
By what means? North Carolina Security Breach Reporting Form
Regulatory Fines Up to $5,000/violation
Credit monitoring requirement? No
Private lawsuits allowed? Yes
Private damages cap? Treble damages + costs and attorney fees
Regulatory actions allowed? Yes
HIPAA Compliance exemption? N/A
Other  (e.g., timeframe) Law does not apply if PI was encrypted (unless encryption was compromised) or redacted
Link to complete law http://www.ncga.state.nc.us

Below please find the full text of North Carolina’s data breach law.

§ 75-65.  Protection from security breaches.

(a)        Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. For the purposes of this section, personal information shall not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent’s legal surname prior to marriage, or a password unless this information would permit access to a person’s financial account or resources.

(b)        Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.

(c)        The notice required by this section shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.

(d)       The notice shall be clear and conspicuous. The notice shall include all of the following:

(1)        A description of the incident in general terms.

(2)        A description of the type of personal information that was subject to the unauthorized access and acquisition.

(3)        A description of the general acts of the business to protect the personal information from further unauthorized access.

(4)        A telephone number for the business that the person may call for further information and assistance, if one exists.

(5)        Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

(6)        The toll-free numbers and addresses for the major consumer reporting agencies.

(7)        The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.

(e)        For purposes of this section, notice to affected persons may be provided by one of the following methods:

(1)        Written notice.

(2)        Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.

(3)        Telephonic notice provided that contact is made directly with the affected persons.

(4)        Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:

a.         E-mail notice when the business has an electronic mail address for the subject persons.

b.         Conspicuous posting of the notice on the Web site page of the business, if one is maintained.

c.         Notification to major statewide media.

(e1)      In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.

(f)        In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

(g)        Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable.

(h)        A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or a credit union that is subject to and in compliance with the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration; and any revisions, additions, or substitutions relating to any of the said interagency guidance, shall be deemed to be in compliance with this section.

(i)         A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.

(j)         Causes of action arising under this Article may not be assigned.  (2005-414, s. 1; 2009-355, s. 2; 2009-573, s. 10.)