skip to main content
Experience List
  • Email Page
  • Create PDF
  • Print Page
North Carolina Data Breach Statute


N.C. Gen. Stat. §§ 75-61, 75-65

To print or save this summary, click here.


Quick Facts

Breach Based on
Harm Threshold

Deadline for
Consumer Notice

Notification Required


Without unreasonable delay



More Details

Scope of this Summary Notification requirements applicable to businesses that own or license covered info. Some types of businesses may be exempt from some or all of these requirements non-commercial entities may be subject to different requirements.
Covered Info First name or first initial and last name, plus: Social Security or employer taxpayer ID numbers; driver’s license, state ID card, or passport numbers; checking account, savings account, credit card or debit card numbers; PIN code; digital signatures; biometric data; fingerprints; electronic ID numbers, email names/addresses, Internet account numbers, usernames, parent’s legal surname prior to marriage, or passwords (if such information would permit access to a person’s financial account or resources); or any other numbers or information that can be used to access a person’s financial resources.
Form of Covered Info Electronic or Paper
Encryption Safe Harbor Statute does not apply to information that is encrypted or redacted, so long as encryption key was not compromised.
Breach Defined Unauthorized access and acquisition of covered info, excluding certain good-faith acquisitions by employees or agents.
Consumer Notice Timing: Must be made without unreasonable delay taking any necessary measures to determine sufficient contact info, determine the scope of the breach and to restore the reasonable integrity, security and confidentiality of the system.

Content: Notice must be clear and conspicuous and include: a description of the incident in general terms; types of covered info involved; covered entity’s general acts to protect against further unauthorized access; covered entity’s telephone number that the resident can call for further information and assistance, if one exists; advice that directs residents to remain vigilant; toll-free numbers and addresses for the major CRAs; and toll-free numbers, addresses, and websites for the FTC and the NC Attorney General's office, along with a statement that the resident can obtain information about preventing identity theft from these sources.

Method: By written notice, telephonic notice, or electronic notice (if residents have agreed to receive communications electronically and notice is consistent with E-SIGN). Substitute notice is available if certain criteria are satisfied.
Delayed Notice Notification may be delayed if law enforcement determines that the notification will impede a criminal investigation or jeopardize homeland or national security and makes the request in writing or the covered entity documents the request contemporaneously in writing, including the name of the officer and agency.
Harm Threshold Notification not required if no illegal use of covered info has occurred or is reasonably likely to occur and breach does not create a material risk of harm to resident.
Government Notice If residents are notified, must notify the Consumer Protection Division of the Attorney General's office without unreasonable delay and provide the nature of the breach, number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution and content of the consumer notices.

*N.C. Admin Code 3M.0402: Mortgage licensees must notify the Commissioner of the North Carolina Banking Commission within one business day of providing notice to resident.
Consumer Agency Notice If more than 1,000 residents are notified, must notify all nationwide CRAs without unreasonable delay of timing, distribution, and content of the consumer notice.
Third-Party Notice If you maintain covered info on behalf of another entity, must notify immediately following discovery of a breach.
Potential Penalties Violations may result in civil or criminal penalties.

To print or save this summary, click here.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on March 26, 2018