Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- up to $5,000 for each offense

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting to the Consumer Protection Division of the Attorney General’s Office must be completed without unreasonable delay, when the business provides consumer notice to an affected person.
  • In the event a business provides notice to more than 1,000 persons, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • For violations of the law pertaining to security breaches and destruction of personal information records, the court may impose a civil penalty against of up to $5,000 for each offence. If a violation is continuous, each week of the continued violation may be considered a separate offense. Restitution of fees to the attorney general may be granted.
  • Laws mandate that specific details must be included in the notice to consumers.
  • For violations involving the publication of personal information, a civil suit may be brought with damages up to $5,000, but no less than $500, or three times the amount of actual damages, whichever amount is greater.
  • There are separate laws for the protection of personal information relating to medical and insurance.
  • If a vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using the state’s rules.
Statutes and Laws
  • N.C. Gen. Stat. §§ 75-60 – 75-66 Identity Theft Protection Act

    Referenced citations within the Identify Theft Protection Act:

    • N.C. Gen. Stat § 75-1.1
    • N.C. Gen. Stat. § 14-113.8(6)
    • N.C. Gen. Stat. § 14-113.20(b) Defining the term “identifying information”

    N.C. Gen. Stat. § 58-2-105 Confidentiality of medical and credentialing records

    N.C. Gen. Stat. § 58-39-45 Access to recorded personal information

    N.C. Gen. Stat. § 58-39-75 Disclosure limitations and conditions

    N.C. Gen. Stat. § 132-1.10 Social security numbers and other personal identifying information

BAck to map