Data Breach Notification Statutes – North Carolina
Last Updated: 02/28/2024
- Applicable Statute: N.C. Gen. Stat. §§ 75-61, 75-65
- Attorney General Notice Required: Yes, notify the Attorney General.
- Timing: Without unreasonable delay.
- Method: Online at https://ncdoj.gov/protecting-consumers/protecting-your-identity/protect-your-business-from-id-theft/report-a-security-breach/
- Content: Must include the nature of the breach, number of consumers affected, steps taken to investigate and to prevent a similar breach in the future, and information regarding the timing, distribution and content of consumer notices.
- Consumer Notice Requirements:
- Timing: Must be made without unreasonable delay, taking any necessary measures to determine sufficient contact information, determine the scope of the breach, and to restore the reasonable integrity, security, and confidentiality of the system.
- Content: Notice must be clear and conspicuous and include:
- A description of the incident in general terms;
- A description of the type of personal information involved;
- A description of the general acts of the covered entity to protect the information from further unauthorized access;
- A telephone number for the entity that affected individuals can call for further information and assistance, if one exists;
- Advice directing the individual to stay vigilant by reviewing account statements and monitoring free credit reports;
- Toll free number an address for the major credit reporting agencies;
- Toll-free number, address, and website address for the FTC and the Attorney General’s Office; and
- A statement that the person can obtain information from these sources about identify theft.
- Method: Written notice, telephone notice if direct contact is made with the affected residents, or electronic notice to residents with a valid email address who agreed to receive communications electronically and if consistent with E-SIGN. Substitute notice is also available under certain circumstances.
- Consumer Reporting Agency Obligations: If more than 1,000 residents are notified, the entity must also notify all nationwide credit reporting agencies without unreasonable delay as to the timing, distribution, and content of consumer notices.