North Carolina Data Breach Notification Law

Notification deadline: Without unreasonable delay

Enforcement: North Carolina Attorney General

Overview

North Carolina requires businesses to notify affected residents "without unreasonable delay" and notify the Consumer Protection Division within 24 hours of notifying residents. The state requires free credit monitoring for Social Security number breaches.

Who Must Be Notified

• • Affected North Carolina residents
• • NC Attorney General Consumer Protection Division (within 24 hours of resident notification)
• • Consumer reporting agencies (if 1,000+ residents affected)

Covered Data Types

Social Security number, Driver's license number, State ID number, Financial account number with access code, Credit/debit card number, Passport number, Taxpayer ID number, Employer-assigned ID with password, Biometric data, Digital signatures

Notification Requirements

• • Written, telephonic, or electronic notice without unreasonable delay
• • Must notify Consumer Protection Division within 24 HOURS of resident notification
• • Description of incident and types of data involved
• • If SSN involved, must provide credit monitoring at no cost
• • Contact information for credit bureaus
• • Cannot require waiver of rights as condition of notification

Exemptions

• • Encrypted data (if key not compromised)
• • Entities in compliance with GLBA, HIPAA, federal banking regulations
• • Good faith acquisition by employee

Penalties

Up to $5,000 per violation under Unfair and Deceptive Trade Practices Act. AG can seek treble damages in some cases.