Information Covered / Important Definitions
Personal information of North Carolina residents.
Definition includes (i) employer taxpayer identification numbers, (ii) Personal Identification (PIN) Code, (iii) biometric data, (iv) fingerprints, and (v) any other numbers or information that can be used to access a person’s financial resources.
Personal information does not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent’s legal surname prior to marriage, or a password unless this information would permit access to a person’s financial account or resources.
“Security Breach” means an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Access to encrypted records or data containing personal information along with the confidential process or key constitutes a security breach.
“Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
“Redaction” means the rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number is accessible as part of the data.
Covered Entities* / Third Party Recipients
Subject to statute:
Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form, whether computerized, paper, or otherwise.
Third party recipients:
Any business that maintains or possesses records or data containing personal information of North Carolina residents that the business does not own or license must notify the owner or licensee of the information of any security breach immediately following discovery of the breach consistent with law enforcement needs.
Notice Procedures & Timing / Other Obligations
Written, electronic, or telephonic notice must be provided to victims of a security breach without unreasonable delay, unless a law enforcement agency requests delay in writing due to its determination that notification would impede a criminal investigation or jeopardize national or homeland security (in which case notification is delayed until authorized by law enforcement agency).
- Electronic notice allowed only when the consumer to be notified has consented to receipt of electronic communications.
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, covered entity has insufficient contact information, or covered entity is unable to identify particular affected persons.
- Notice not required if the business responsible for the data concludes that the security breach is not reasonably likely to cause or create a “material risk of harm” to consumers.
Any business that must notify more than 1,000 persons at one time of a security breach is also required to notify consumer reporting agencies without unreasonable delay.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted or redacted.
Exemption for good faith acquisition of personal information by employee or agent of a business for a legitimate purpose so long as personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.
Financial institutions subject to and in compliance with federal interagency guidelines, and credit unions subject to the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, are exempt.
Notification to Regulator / Waiver
Consumer Protection Division of attorney general must be notified of a security breach by a designated online form.
Notification details the nature of the breach, number of affected individuals, the circumstances surrounding the breach, the steps taken to prevent a similar breach in the future, and information about the timing, distribution and content of notice to affected residents. North Carolina Security Breach Reporting Form.
A determination of no likelihood of harm: Does not require notification to attorney general.
A waiver of the statute is void and unenforceable.
Violations fall under G.S.§75-1.1. Civil penalties of up to $5,000 per violation are available under G.S.§75-15.2.
Private Cause of Action / Enforcement
Private Cause of Action: Yes, but only if the individual is actually injured as a result of a violation of the statute.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.