Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Very specific factors determine breach reportability;
  • Comprehensive provisions for notifications;
  • Limited methods of notification delivery;
  • Data owners are responsible for breach reporting and notifications;
  • State attorney general may need notified;
  • Violations can result in civil action, penalties and treble damages;
  • Laws also cover data protection, data disposal, and record retention;
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may also apply.

Who Me?


North Carolina breach and notification laws may apply if you:

  • Are a business that owns or licenses PII of a NC resident in any form, whether or not you conduct business in NC;
  • Are a business that maintains or possesses records or data with a NC resident’s PII, but do not own or license it, whether or not you conduct business in NC;
  • An agency of the State or its political subdivisions, or any agent or employee of a government agency.

 There are exemptions.

What is PII?


PII relevant to a breach in North Carolina include a person's name plus one or more of the following:

  • Social security, employer tax id, driver’s license, State ID, passport, checking or savings account, or credit or debit card numbers;
  • Electronic ID numbers, email names or addresses, Internet account numbers or identification names;
  • Digital signatures, or biometric data, fingerprints, or passwords;
  • PIN Codes or any other numbers that can be used to access financial resources;
  • Parent's legal surname prior to marriage.



A few of these laws include, but are not limited to:

  • Chapter 75, Article 2A:  Identify Theft Protection Act / §75-60, 75-61, 75-65;
  • Chapter 14, Article 19B: § 14-113.8(6) Personal Identification Code;
  • Chapter 14, Article 19C:  Identify Theft / § 14-113.20(b);
  • Chapter 132, Public Records / § 132-1.10 (c1);
  • Chapter 75, Article 1: General Provisions / § 75-1.1, 75-16.2.


A few of these laws include, but are not limited to:

  • Chapter 75, Article 2A: Identify Theft Protection Act / § 75-60, 75-61, 75-62, 75-64, 75-66
  • Chapter 132 Public Records, multiple
  • Chapter 58: § 58-39-75, § 58-2-105,



A violation of this section is a violation of G.S. 75-1.1. A violation of G.S. 75-1.1 includes an investigation or interrogation by the attorney general, who may also institute suit and up to a $5,000 fine per offense. If a violation is continuous, each week of the continued violation may be considered a separate offense. Restitution of fees to the attorney general may be granted.

If it found that a person was injured or a business broken up by violation, triple the amount fixed by the verdict may be awarded.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached, and for certain elements, whether access to a person’s financial account or resources is possible;
  • If the data was encrypted or redacted;
  • If a key or confidential process was accessed;
  • Whether illegal use of the data has occurred or is reasonably likely to occur;
  • If there is a material risk of harm to a customer.


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. All notifications must be made without unreasonable delay, unless law enforcement advises in writing that it will impede a criminal investigation.


Requires detailed information and potential provision of services

Disclosure may only be made by written notice, telephone or electronically with stipulations. A substitute notice, with specific requirements, may be used if the person demonstrates that the cost of providing the notice would exceed $250,000 or the persons to be notified exceeds 500,000, they do not have sufficient contact information, or it is not possible to identify particular affected persons.

Contact the Privacy Experts at CSR