Security Breach Policy in the State of North Carolina

N.C. Gen. Stat. §§ 75-61, 75-65 is a data breach notification law that was passed in the U.S. state of North Carolina in 2005 and later amended in 2009. N.C. Gen. Stat. §§ 75-61, 75-65 lays out the legal framework for regulating data breach incidents within the state of North Carolina. Moreover, the law also provides the North Carolina Attorney General with the authority to impose punishments against business entities and organizations within the state that are found to be in violation of the law, which can include a wide range of sanctions and penalties. To this point, N.C. Gen. Stat. §§ 75-61, 75-65 stands as the primary means by which the personal information of North Carolina residents is legally protected in the event of a security breach.

What is the scope and application of N.C. Gen. Stat. §§ 75-61, 75-65?

In terms of the scope and application of N.C. Gen. Stat. §§ 75-61, 75-65, the provisions set forth in the law are applicable to “any sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the laws of any state or country, or the parent or the subsidiary of any such financial institution, but not including any government or governmental subdivision or agency (collectively, Entity) that owns or licenses PI of residents of NC or any Entity that conducts business in NC that owns or licenses PI in any form (computerized, paper, or otherwise).”

What are the data breach notification requirements under N.C. Gen. Stat. §§ 75-61, 75-65?

N.C. Gen. Stat. §§ 75-61, 75-65 mandates that a business entity or organization within the state provide data breach notices to all affected individuals and parties in the event that a data breach occurs. Furthermore, business entities and organizations that have experienced a data breach are also responsible for notifying the North Carolina Attorney General in the event that said breach affected more than 1,000 residents within the state, as well as the three major credit reporting agencies within the U.S. With this being said, data breach notifications under N.C. Gen. Stat. §§ 75-61, 75-65 must provide residents of the state with information including but not limited to:

• A general description of the events that lead to the breach.
• The specific categories of personal information that were compromised as a result of a breach.
• A description of the actions or measures that the affected entity undertook to protect the personal information that was compromised from further disclosure.
• A telephone number that affected individuals can contact for further information and assistance concerning the data breach, if such contact information is available.
• “The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the NC AG’s office, along with a statement that the individual can obtain information from these sources about preventing identity theft.”

What categories of personal information are covered under N.C. Gen. Stat. §§ 75-61, 75-65?

Under N.C. Gen. Stat. §§ 75-61, 75-65, the following categories of personal information are protected under the law, in combination with a North Carolina resident’s first name or first initial and last name:

• Social security numbers and employer tax identification numbers.
• Drivers license numbers, state identification card numbers, and passport numbers.
• Checking and savings account numbers.
• Credit and debit card numbers.
• PIN numbers.
• Digital signatures.
• Any other numbers or information that could be used to gain access to an individual’s financial account.
• Biometric data and fingerprints.

What’s more, N.C. Gen. Stat. §§ 75-61, 75-65 also covers the following categories of personal information should a data breach occur, permitting these data elements “would permit access to a person’s financial account or resources”:

• Email names and addresses.
• Internet account numbers.
• Internet ID names.
• Passwords.
• Parent’s legal surname prior to marriage.

What are the penalties for violating N.C. Gen. Stat. §§ 75-61, 75-65?

In terms of the enforcement of N.C. Gen. Stat. §§ 75-61, 75-65, the provisions established in the law are enforceable by the North Carolina Attorney General. To this end, the North Carolina Attorney General has the authority to impose a number of punishments against businesses and organizations that fail to comply with the law, which can include monetary penalties and civil action. To further illustrate the potential scope and severity of penalties that can be imposed in conjunction with N.C. Gen. Stat. §§ 75-61, 75-65, a 2013 data breach of Target Corp. that affected more than 43 million people ultimately resulted in “a grand settlement payment of $18.5 million, with $390,814 of that going towards North Carolina state.”

Through the provisions of N.C. Gen. Stat. §§ 75-61, 75-65, residents of the state of North Carolina were afforded legal protection in the event that their personal information is comprised during a data breach. As 2013 data of Target Corp. and the subsequent settlement that followed shows, violating the provisions set forth in the law can lead to substantial sanctions and penalties. As such, residents of the state of North Carolina can have the peace of mind that they have a legal framework in place within their state that will allow them to seek justice and compensation should their personal information be disclosed during a data breach.