North Carolina Cybersecurity Laws

 

Several Cybersecurity, Data Breach and Data Privacy Laws exist in the state of North Carolina. Here is a review of the ones that impact most businesses operating in the state.

North Carolina Consumer Privacy Act

The North Carolina Consumer Privacy Act (also known as NCCPA) went into effect on January 1, 2024. It represents a significant legislative development in the realm of digital privacy and consumer rights in North Carolina.

The NCCPA empowers North Carolina residents with control over their personal data and imposes obligations on organizations engaged in processing the personal data of North Carolina residents, positioning North Carolina at the forefront of state-level privacy legislation in the United States.

Here is an overview of the NCCPA’s key provisions, implications for organizations, and the broader impact of the Act on privacy, cybersecurity best practices and regulatory compliance today.

Compliance: Who Must Comply with NCCPA?

The law applies to any business, controller or processor that:

• Conducts business in North Carolina or produces a product or service that is targeted to consumers who are North Carolina residents; and
• Has an annual revenue exceeding twenty-five million dollars ($25M), and
• Meets either of the following criteria:
  • Controls or processes personal data of 100,000 or more consumers in a calendar year, or
  • Controls or processes the personal data of 25,000 or more consumers and derives over 50% of the entity’s gross revenue from the sale of personal data.

The law does not apply to the following entities:

• A governmental entity or a third party under contract with a governmental entity when the third party is acting on behalf of the governmental entity.
• A tribe.
• An institution of higher education.
• A nonprofit corporation.
• A covered entity as defined in 45 C.F.R. Sec.160.103.
• A business associate, as defined in 45 C.F.R. Sec.160.103.

The law does not apply to the following information:

• Any health information, records, data, and documents protected and covered under HIPAA, other federal or state medical laws, including patient information, identifiable private information for purposes of the Federal Policy for the protection of Human Subjects, patient safety work product, de-identified medical data, and medical data for public health use or medical research under HIPAA or any other medical law or policy, information maintained by a healthcare facility/provider, or information used only for public health activities and purposes;
• Protection of Human Subjects, patient safety work product, de-identified medical data, and medical data for public health use or medical research under HIPAA or any other medical law or policy, information maintained by a healthcare facility/provider, or information used only for public health activities and purposes;
• Activities subject to FCRA, 15 11 U.S.C. § 1681 et seq;
• A financial institution or an affiliate of a financial institution or personal data collected, processed, sold, or disclosed in accordance with Title V of the Gramm-Leach-Bliley Act and related regulations.
• Personal data collected, processed, sold, or disclosed in accordance with the federal Driver’s Privacy Protection Act of 1994;
• Personal data regulated by the federal Family Education Rights and Privacy Act and related regulations;
• Personal data collected, processed, sold, or disclosed in accordance with the federal Farm Credit Act of 1971;
• Data used for the purpose of employment, emergency contact, or administering benefits;
• An individual’s processing of personal data for purely personal or household purposes.

Definitions of Key Terms

A. Aggregated Data

Information that relates to a group or category of consumers from which individual consumer identities have been removed and that is not linked or reasonably linkable to any consumer.

B. Biometric Data

Data generated by automatic measurements of an individual’s unique biological characteristics. The term includes an individual’s fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual. Biometric data does not include any of the following:

1. A physical or digital photograph.
2. A video or audio recording.
3. Data generated from physical or a digital photograph or a video or audio recording.
4. Information captured from a patient in a healthcare setting.
5. Information collected, used, or stored for treatment, payment, or health care operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164.

C. Child

An individual younger than 13 years old.

D. Consent

An affirmative act by a consumer that unambiguously indicates the consumer’s voluntary and informed agreement to allow a person to process personal data related to the consumer.

E. Consumer

An individual who is a resident of North Carolina acting in an individual or household context. The term consumer does not include an individual acting in a commercial or employment context.

F. Controller

A person doing business in North Carolina who determines the purposes for which, and the means by which, personal data are processed, regardless of whether the person makes the determination alone or with others that, alone or jointly with others, determines the purpose and means of processing personal data

G. Personal Data

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information. Personal data does not include information that is a public record under Chapter 132 of the General Statutes or information made available to the general public lawfully and intentionally.

H. Sensitive Data

Personal data that reveals any of the following:

1. An individual’s (i) racial or ethnic origin, (ii) religious beliefs, (iii) sexual orientation, (iv) citizenship or immigration status, or (v) information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional. The term does not include personal data that reveals an individual’s racial or ethnic origin if the personal data are processed by a video communication service. If the personal data are processed by a person licensed to provide health care under State or federal law, information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional, then the personal data is not sensitive data.
2. The processing of genetic or biometric data if the processing is for the purpose of identifying a specific individual.
3. Specific geolocation data.

I. Targeted Advertising

Displaying an advertisement to a consumer where the consumer is selected based upon personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences and interests. The term does not include any advertising:

1. Based upon a consumer’s activities within the controller’s website or online application or any affiliated website or online application.
2. Based on the context of a consumer’s current search query or visit to a website or online application.
3. Directed to a consumer in response to the consumer’s request for information, product, service, or feedback.
4. Processing personal data solely to measure or report advertising performance, reach, or frequency.

IV. Obligations for Organizations Under NCCPA

A. Consent Requirements

The law does not require opt-in consent to process a consumer’s sensitive data. But rather it lays down mandatory notice requirements, outlining that in case of processing sensitive data collected from a consumer, it should first present the consumer with a clear notice along with a method and opportunity to opt-out of processing of its sensitive data.

Moreover, in the case of the processing of personal data concerning a known child, the consumer should process the data in accordance with the federal Children’s Online Privacy Protection Act (COPPA) and the Act’s implementing regulations and exemptions.

Controllers are not obligated to provide products or services if the provision of these services is contingent upon processing specific personal data that the consumer does not provide or allow to be processed.

B. Non-Discrimination Requirements

A controller must not discriminate against a consumer for exercising a right by refusing them a good or service, charging them a different price or rate, or offering them a different quality of good or service.

However, if the consumer has opted out of targeted advertising or the offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, then the controller may offer a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for free or at a discount.

C. Privacy Notice Requirements

A controller must provide consumers with a clear, understandable, and reasonably accessible privacy notice that contains the following information:

1. Personal data categories that the controller processes.
2. The purpose of processing the categories of personal data.
3. How consumers may exercise their consumer rights.
4. The categories of personal data that the controller shares with third parties, if any.
5. The categories of third parties, if any, with whom the controller shares personal data.

If personal data is sold or used for targeted advertising, there must be a conspicuous disclosure of how consumers can opt-out of such practices.

D. Security Requirements

A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to safeguard the integrity and confidentiality of personal data and minimize the reasonably foreseeable risks that processing it may pose to consumers. The data security procedures must be implemented, taking into account the scope and category of personal data in question and accounting for the businesses’ size, scope, and nature.

E.  Non-Waiver of Consumer Rights

Under the law, any provision of a contract that purports to waive or limit a consumer’s right is also void.

F. Processing De-identified Data or Pseudonymous Data

The law does not require a controller or processor to reidentify de-identified data or pseudonymous data or obtain, maintain, or access data in identifiable form for the purpose of allowing the controller or processor to associate a consumer request with personal data. The controller is also not required to comply with an authenticated consumer request to exercise a right under the law if:

• Either the controller does not have the reasonable capacity to associate the request with the personal data, or it would be unreasonably burdensome for it to associate the request with the personal data;
• personal data is not being used by the controller to recognize or respond to the consumer who is the subject of the personal data; and
• personal data is not being sold or disclosed to any third party other than a processor.

Moreover, data subject rights do not apply to pseudonymous data.

G. Processor/ Service Provider Agreements

A processor must comply with the controller’s instructions and, insofar as it is reasonably practical, assist the controller in fulfilling its obligations, including those pertaining to the security of processing personal data and notifying others of a security system breach, and by implementing the appropriate organizational and technical measures.

Prior to a processor processing data on behalf of a controller, a contract must be established that:

1. Clearly lays out how personal data is processed, what kind of data is processed, why it’s being processed, how long it will take to process it, and what rights and duties each party has.
2. Requires that the processor ensure that everyone processing personal data ensures its confidentiality.
3. Requires that the processor only use subcontractors who have signed a written contract containing the same requirements for processing personal data as the processor.

Moreover, any subcontractor pursuant to a written contract engaged by a processor is also bound by the same obligations. Processors must follow the controller’s instructions and assist the controller in fulfilling his or her obligations, including those relating to the security of personal data processing and security breach notifications.

V. Data Subject Rights

A. Right to Confirm and Access Information

A consumer has the right to confirm whether a controller is processing their personal data and accessing that information.

B. Right to Delete

A consumer has the right to request that the controller delete the personal data that they provided to the controller.

C. Right to Portability

When processing is carried out using automated means, a consumer has the right to obtain a copy of the personal data they previously gave to the controller in a format that is, as far as is technically feasible, readily usable and enables them to transfer the data to another controller without difficulty.

D. Right to Opt-Out

A consumer has the right to opt-out of the processing of their personal data for purposes of targeted advertising or the sale of personal data.

Exercising Consumer Rights

A consumer can exercise their rights by submitting a request to the controller, using the methods prescribed by the controller, specifying the rights they want to exercise.

When processing a known child’s personal data, their parent or legal guardian may exercise a right on the child’s behalf. When processing a consumer’s personal information under guardianship, the guardian of the consumer may act on the consumer’s behalf.

Controllers’ Response to DSRs

A controller must respond to a consumer’s request and inform the consumer of the subsequent action within 45 days of the receipt of the request. However, the controller may extend the response period by another 45 days, considering the complexity and volume of the requests received.

In the event that a controller decides to extend the initial time, the controller must notify the consumer of the extension, specify its duration, and provide justification for why it is reasonably required before the expiry of the initial 45 days. However, The 45-day period does not apply if the controller suspects fraud and cannot authenticate the request in time. The controller must inform the consumer of the reasons for not taking action within the initial 45 days. If the controller decides not to take any action on the consumer’s request, it shall convey the same to the consumer within 45 days of the receipt of the request.

Charging Fee for Excessive Requests

When a controller responds to a consumer request, it cannot charge a fee unless it is the consumer’s second or subsequent request in the same 12-month period. Nonetheless, a controller has the right to refuse to act upon a request or to impose a reasonable price to cover the administrative expenses of complying with it if:

1. The request is excessive, repetitive, technically infeasible, or manifestly unfounded;
2. The controller has a reasonable belief that the request was submitted primarily for a motive other than to exercise a right; or
3. The request harasses, interferes with, or places an excessive load on the controller’s business resources, either alone or in conjunction with other requests.

A controller is not obligated to comply with a consumer’s request to exercise a right if the controller is unable to authenticate the request using commercially reasonable efforts. Instead, the controller may ask the consumer to give any additional information that is reasonably needed to authenticate the request.

VI. Regulatory Authority

The NCCPA is enforced by the Attorney General. Upon referral from the Division, the Attorney General may bring an enforcement action against a controller or processor for a violation.

The Attorney General must provide the controller or processor the following information at least 45 days prior to the day on which the Attorney General files an enforcement action against them:

• A written notice outlining each NCCPA’s requirements that the Attorney General claims the processor or controller has violated or is currently violating.
• An explanation of the evidence supporting each accusation.

The Attorney General may not initiate an action if the controller or processor:

• Resolves the violation within 45 days from the day since it received the written notification.
• Gives the Attorney General a written notice stating that the violation has been resolved and that it won’t happen again.

Limitations

The law does not apply if a controller is processing personal data to comply with any of the following:

1. Comply with the State, Federal, or local laws.
2. Comply with a criminal, civil, or regulatory investigation, inquiry, subpoena, or summons by a federal, state, local, or other government entity.
3. Cooperate with law enforcement agencies in good faith.
4. Investigate, or prepare a legal claim.
5. Provide products or services requested by a consumer, parent, or legal guardian of a child.
6. Perform contractual obligation of a contract to whom a child is a party.
7. Take essential steps to save the life or physical safety of a consumer or another individual.
8. Respond to a security incident.
9. Preserve the integrity or security of systems.
10. Engage in public interest matters that comply with all other applicable ethics and privacy laws.
11. Assist another person to fulfill obligations prescribed under the law.
12. Conduct internal research, identify and repair technical errors, or effectuate a product recall.

VII. Penalties for Non-Compliance

The Attorney General has the authority to initiate an action against the controller who fails to cure the violations within the 45-day notice period or, after curing the violations, again indulges in violations of the law. The attorney general may recover the actual damages to the consumer and an amount not to exceed seven thousand five hundred dollars ($7,500) for each violation. The law does not provide a private right of action.

VIII. How Can an Organization Operationalize the NCCPA

Organizations can operationalize the North Carolina Consumer Privacy Act (NCCPA) by:

• • Establishing clearly defined policies and procedures for processing data in compliance with NCCPA’s provisions;
  • Developing clear and accessible understandable privacy notices that comply with NCCPA’s requirements;
  • Obtaining explicit consent from users before processing their personal data;
  • Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
  • Train employees who handle the consumers’ data on the organization’s policies and procedures, as well as the requirements of the NCCPA.

NC Data Breach Law

North Carolina businesses that suffer a data breach must notify affected NC residents by mail, phone, or email as soon as possible. If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, other means of notification can be used (e.g., public service announcements). If a breach impacts more than 1,000 people, all credit-reporting agencies must be informed. Regardless of how many people a breach affects, it must be reported to the state attorney general.

Definition of Protected Information	Combination of (1) name or other identifying info, PLUS (2) one or more of these “data” elements: SSN; driver’s license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes + mother’s maiden name, electronic signature, unique biometric data (including voice print), computer passwords; includes paper copies
Who Is Subject to Law?	Any person or business conducting business in the state who licenses or owns PI
Notification of Consumers?	Yes, unless determination of no harm by business
By what means?	Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies; specific info must be included in notice
Substitute Notice Threshold?	If cost of notice >$250,000 or involves >500k residents
Notification of authorities / regulators required?	Yes
By what means?	North Carolina Security Breach Reporting Form
Regulatory Fines	Up to $5,000/violation
Credit monitoring requirement?	No
Private lawsuits allowed?	Yes
Private damages cap?	Treble damages + costs and attorney fees
Regulatory actions allowed?	Yes
HIPAA Compliance exemption?	N/A
Other  (e.g., timeframe)	Law does not apply if PI was encrypted (unless encryption was compromised) or redacted
Link to complete law	http://www.ncga.state.nc.us

Below please find the full text of North Carolina’s data breach law.

§ 75-65.  Protection from security breaches.

(a)        Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. For the purposes of this section, personal information shall not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent’s legal surname prior to marriage, or a password unless this information would permit access to a person’s financial account or resources.

(b)        Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.

(c)        The notice required by this section shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer’s law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.

(d)       The notice shall be clear and conspicuous. The notice shall include all of the following:

(1)        A description of the incident in general terms.

(2)        A description of the type of personal information that was subject to the unauthorized access and acquisition.

(3)        A description of the general acts of the business to protect the personal information from further unauthorized access.

(4)        A telephone number for the business that the person may call for further information and assistance, if one exists.

(5)        Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

(6)        The toll-free numbers and addresses for the major consumer reporting agencies.

(7)        The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.

(e)        For purposes of this section, notice to affected persons may be provided by one of the following methods:

(1)        Written notice.

(2)        Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.

(3)        Telephonic notice provided that contact is made directly with the affected persons.

(4)        Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:

a.         E-mail notice when the business has an electronic mail address for the subject persons.

b.         Conspicuous posting of the notice on the Web site page of the business, if one is maintained.

c.         Notification to major statewide media.

(e1)      In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General’s Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.

(f)        In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

(g)        Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable.

(h)        A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or a credit union that is subject to and in compliance with the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration; and any revisions, additions, or substitutions relating to any of the said interagency guidance, shall be deemed to be in compliance with this section.

(i)         A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.

(j)         Causes of action arising under this Article may not be assigned.  (2005-414, s. 1; 2009-355, s. 2; 2009-573, s. 10.)

Other Legislation