North Carolina Cybersecurity Requirements
Understanding North Carolina's Identity Theft Protection Act and its requirements for businesses handling personal information of NC residents.
Important Disclaimer
The information provided on this page is for general informational purposes only. State cybersecurity regulations are complex and subject to change. We recommend reaching out to our team to confirm you have covered all applicable requirements for North Carolina operations.
Overview
North Carolina's Identity Theft Protection Act (mainly Article 2A of Chapter 75 of the General Statutes) sets requirements for how businesses and government entities protect personal information of North Carolina residents and how they respond to security breaches.
Who is Covered?
- Any business or state/local government agency that owns or licenses "personal information" about a North Carolina resident
- This can include financial institutions, lenders, servicers, and other organizations handling sensitive consumer data
Key Cybersecurity and Data Handling Expectations
While North Carolina's law is often discussed in the context of breach notification, it also embeds data security and identity-theft prevention concepts, including:
Reasonable Security Measures
- Businesses must take reasonable steps to protect personal information from unauthorized access, acquisition, or use that could result in harm or identity theft
Restrictions on Social Security Numbers
- SSNs may not be used as public identifiers, printed on mailed materials (with limited exceptions), or transmitted over the internet in unencrypted form
- SSNs cannot be used as the sole means of authentication without additional factors
Destruction of Records
- When disposing of records containing personal information, businesses must take reasonable steps to destroy the information (e.g., shredding, erasing, or otherwise making it unreadable)
Breach Notification Obligations
A "security breach" generally means unauthorized access to or acquisition of unencrypted or un-redacted personal information that creates a risk of identity theft or other harm.
If a breach occurs, covered entities must:
- Conduct a prompt investigation
- Notify affected North Carolina residents "without unreasonable delay" once they determine misuse is likely, consistent with law enforcement or remedial needs
- Notify consumer reporting agencies if a large number of residents are affected
- For certain entities, notify the NC Attorney General / Department of Justice
- Notices must include specific content such as the type of incident, kinds of information involved, and steps consumers can take