North Carolina Data Breach Rule Summary
NC Gen. Stat. § 75-61, § 75-65
NC Gen. Stat. § 14-113.20
SUMMARY:
EFFECTIVE. December 1, 2005
WHO DOES THIS LAW APPLY TO. (1) Any business that owns or licenses Personal Information in any form; and (2) any business that maintains Personal Information on State residents, whether or not it conducts business in the State.
WHAT IS A BREACH. An unauthorized access to and acquisition of unencrypted or unredacted records or data that includes Personal Information, or encrypted records, or data containing Personal Information together with the key, where illegal use of Personal Information has or is reasonably likely to occur, or that creates a material risk of harm to a consumer. A good faith acquisition of Personal Information by an employee or agent of the business for a legitimate purpose is not a breach, if it is not used for an unlawful purpose or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data:
-
Social Security Number.
-
Driver’s license, passport, or State identification card number.
-
Bank account number, credit card, or debit card number.
-
Electronic identification numbers, Email names or addresses; internet account numbers, or identification names; or a parent’s legal surname prior to marriage; only if such information will permit access to a person’s financial account or resources.
-
Personal Identification (Personal Information) Code, password, biometric data, fingerprint, digital signature, or any other numbers or information that can be used to access a person’s financial resources.
Personal Information does not include publicly available information that an individual has consented to have distributed or listed, or information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected. The notice shall be clear and conspicuous and include the following information:
-
A general description of the incident.
-
A description of the type of Personal Information involved in the security breach.
-
Steps taken by the business to protect the Personal Information from further unauthorized access.
-
A telephone number for the business providing notice to obtain additional information or assistance, if one exists.
-
Instructions to remain vigilant in reviewing account statements and monitoring free credit reports.
-
Toll-free telephone numbers and addresses for the major consumer reporting agencies.
-
The toll-free telephone numbers and the physical and website addresses for the Federal Trade Commission and the North Carolina Attorney General’s Office, as well as advice that identity theft prevention can be obtained from these sources.
Any business required to give notice under this Section shall also notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office to include the following information:
-
The number of consumers affected.
-
Steps taken to investigate the breach.
-
Steps taken to prevent a future breach.
-
The timing, distribution, and content of the notice.
If more than 1,000 individuals are involved in a breach, the business shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notice.
EXCEPTION. This Section does not apply to the following:
-
A financial institution that is subject to and complies with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the business discovers or is notified of an incident of unauthorized acquisition. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, and any measures necessary to determine the scope of the breach, sufficient contact information and to restore the reasonable integrity, security, and confidentiality of the data system. Notification may be delayed if law enforcement advises it will impede a criminal investigation or jeopardize national security. Such request must be made in writing, or documented by the business in writing, to include the name of the officer making the request and the law enforcement agency investigating the incident. In that instance, notice will be made without unreasonable delay following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic (if a valid Email address is available, the person has agreed to Email communication, and notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the business has insufficient contact information, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify affected persons, and for only those affected persons, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person or business has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the business if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If business maintains or possesses records or data that includes Personal Information that it does not own, whether or not it does business in the State, then the business shall notify the owner or licensee of the security breach information immediately upon discovery, consistent with the needs of law enforcement. The business that owns or licenses the records or data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any violation to this Section is considered an unfair and deceptive trade practice in violation of G.S. 75-1.1. Civil and criminal penalties for violations are available.
PRIVATE RIGHT OF ACTION. Yes. An injured resident may file a civil action.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. NC Gen. Stat. § 75-64. Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. A disposal business that conducts business in North Carolina or disposes of personal information of residents of North Carolina must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.
LEGISLATIVE UPDATES.
S.B. 1048 – Signed into law on 9/21/2005, Effective 12/1/2005.
S.B. 1017 – Signed into law on 7/27/2009, Effective 7/27/2009.
For more information, see here: https://ncleg.gov/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html
AND
https://ncleg.gov/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_14/Article_19C.html
AND
https://ncdoj.gov/protecting-consumers/protecting-your-identity/protect-your-business-from-id-theft/security-breach-information/
AND
https://ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_1/GS_1-539.2C.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.