800.668.7020
M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

North Carolina Data Breach Laws: Reporting Requirements

North Carolina businesses that suffer a data breach must notify affected NC residents by mail, phone, or email as soon as possible. If the security breach affects more than 500,000 people, or the cost of notification exceeds $250,000, other means of notification can be used (e.g., public service announcements). If a breach impacts more than 1,000 people, all credit-reporting agencies must be informed. Regardless of how many people a breach affects, it must be reported to the state attorney general.

Name of Law / Statute

N/A

Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes + mother's maiden name, electronic signature, unique biometric data (including voice print), computer passwords; includes paper copies

Who Is Subject to Law?

Any person or business conducting business in the state who licenses or owns PI

Notification of Consumers?

Yes, unless determination of no harm by business

By what means?

Written, phone, or electronic; if >1,000 residents, must notify consumer reporting agencies; specific info must be included in notice

Substitute Notice Threshold?

If cost of notice >$250,000 or involves >500k residents

Notification of authorities / regulators required?

Yes

By what means?

North Carolina Security Breach Reporting Form

Regulatory Fines

Up to $5,000/violation

Credit monitoring requirement?

No

Private lawsuits allowed?

Yes

Private damages cap?

Treble damages + costs and attorney fees

Regulatory actions allowed?

Yes

HIPAA Compliance exemption?

N/A

Other  (e.g., timeframe)

Law does not apply if PI was encrypted (unless encryption was compromised) or redacted

Link to complete law

http://www.ncga.state.nc.us

Read the full text of North Carolina’s data breach law.

70% of businesses raise prices or cut hiring when sued