North Carolina Statutes § 75-60 et seq
Type of Data Covered: Any form of data.
Is Breach Defined?
Yes, in combination with records, "Security breach". -- An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure."
"Records". -- Any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics."
When is notice required?
Notice is required for all affected residents and "...should be made without unreasonable delay, consistent with the legitimate needs of law enforcement... and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore reasonable integrity, security and confidentiality of the data system." The notice may be written, electronic, telephonic, or via "substitute notice" procedures, depending on circumstances, but must include all of the information in § 75-65(d). Notice must also go to the Consumer Protection Division of the Attorney General's Office and if over 1,000 residents are affected then consumer credit agencies must receive notice as well.
What are the penalties for non-compliance?
Violations have their own section of the law and are considered unlawful business practices. § 75-65(i)-(j) reads as follows:
(i) A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.
(j) Causes of action arising under this Article may not be assigned.