BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay
FINES & PENALTIES – Violations
Up to $5,000 per offense
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
North Carolina Privacy Law Information
Organizations must have measures in place for the secure disposal of personal information. Disposal Vendors must be contracted. Vendors contracted for record destruction must be monitored by the Organization for compliance with manners of destruction allowed under the law.
Breach reporting to the Consumer Protection Division of the Attorney General’s Office must be completed without unreasonable delay when a breached Organization provides consumer notice to an affected state resident. In the event an Organization provides notice to more than 1,000 persons, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
Vendors must notify Organization immediately after discovery of a breach or suspected breach. The Organization will be responsible to complete any required regulatory reporting and consumer notifications.
Destruction Vendors must be certified and must provide independent audits to an Organization. In addition, they must have policies and procedures in place to protect against unauthorized access to personal information during and after disposal. There are separate laws for the protection of personal information relating to medical and insurance.
For violations of the law pertaining to security breaches and destruction of personal information records, the court may impose a civil penalty against up to $5,000 for each offense. If a violation is continuous, each week of the continued violation may be considered a separate offense. Restitution of fees to the attorney general may be granted. Organizations may be fined or penalized for Vendor violations.
North Carolina Statutes and Laws
Personal Identification Code
Defining the term “identifying information”
Confidentiality of medical and credentialing records
Access to recorded personal information
Disclosure limitations and conditions
Methods of competition, acts and practices regulated; legislative policy
Identity theft protection act
Social security numbers and other personal identifying information
The information provided is not legal guidance or recommendations and are for informational purposes only.