North Carolina Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to North Carolina residents, a data breach triggers specific legal obligations under the state's Identity Theft Protection Act. N.C. Gen. Stat. 75-61 through 75-66 sets out who must be notified, what information triggers the duty, and how quickly you need to act. Enacted in 2005 and amended most recently in 2009, the law stands out for its enforcement mechanism: violations are treated as unfair and deceptive trade practices, exposing businesses to treble damages.

This guide covers the full scope of North Carolina's breach notification requirements, including what personal information triggers the law, who must be notified, the timeline, enforcement penalties, exemptions, and how the law interacts with the state's [broader data privacy framework](/us-laws/data-privacy-laws/north-carolina-data-privacy-laws).

Who Must Comply With North Carolina's Breach Notification Law

North Carolina's breach notification law applies to any business that owns or licenses personal information of North Carolina residents. It also applies to any business conducting business in North Carolina that owns or licenses personal information in any form, whether computerized, paper, or otherwise.

The law distinguishes between data owners and data maintainers. If a third party maintains personal information that it does not own or license, that third party must notify the data owner or licensee of any security breach immediately following discovery. The data owner then takes on the responsibility of notifying affected consumers and the Attorney General.

This means out-of-state companies holding North Carolina residents' data are fully subject to the law. There is no exemption based on business location.

What Qualifies as a Security Breach

Under N.C. Gen. Stat. 75-61(14), a security breach is defined as an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where:

• Illegal use of the personal information has occurred or is reasonably likely to occur, or
• The incident creates a material risk of harm to a consumer

This is a two-pronged trigger. Notification is required if either condition is met, not just when actual misuse has been confirmed.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose does not constitute a security breach, provided that the personal information is not used for an unauthorized purpose and is not subject to further unauthorized disclosure.

The Encryption Safe Harbor

North Carolina provides a safe harbor for encrypted data, but with an important limitation. If the compromised data was encrypted and the encryption key was not also compromised, the incident does not qualify as a security breach. However, if the encryption key was accessed or acquired during the same breach, the safe harbor does not apply and full notification is required.

Encryption is defined under N.C. Gen. Stat. 75-61(6) as the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.

What Personal Information Triggers the Law

Under N.C. Gen. Stat. 75-61(10), personal information means a person's first name or first initial and last name in combination with any of the following:

• Social Security number
• Driver's license, State identification card, or passport number
• Checking account number
• Savings account number
• Credit card number
• Debit card number
• Personal Identification (PIN) code
• Digital signatures
• Biometric data (fingerprints and other identifying data elements)
• Any other numbers or information that can be used to access a person's financial resources

The definition also includes electronic identification numbers, email addresses, or internet account numbers in combination with passwords, security questions, or other credentials that would permit access to an online account.

Personal information does not include publicly available directories or information lawfully made available to the general public.

Notification Timeline

North Carolina does not impose a fixed deadline measured in days. Instead, N.C. Gen. Stat. 75-65(a) requires notification "without unreasonable delay." The statute allows for delays that are:

• Consistent with the legitimate needs of law enforcement
• Necessary to determine sufficient contact information
• Necessary to determine the scope of the breach
• Necessary to restore the reasonable integrity, security, and confidentiality of the data system

Law enforcement may request a delay if notification would impede a criminal investigation. The request must come from a law enforcement agency, and the business may delay notification for a reasonable period of time.

Who Must Be Notified

Affected Individuals

Every person whose personal information was compromised must receive notification. The notice must be clear and conspicuous and include:

• A description of the incident
• The type of personal information involved
• Steps the business has taken or plans to take regarding the breach
• Toll-free numbers, addresses, and website addresses for the Federal Trade Commission and the North Carolina Attorney General's Office
• A statement that the individual can obtain information from these sources about preventing identity theft

Attorney General

The Consumer Protection Division of the North Carolina Department of Justice must be notified of every breach affecting North Carolina residents. The AG notification must include:

• The nature of the breach
• The number of consumers affected
• Steps taken to investigate the breach
• Steps taken to prevent a similar breach in the future
• Information regarding the timing, distribution, and content of the consumer notice

Consumer Reporting Agencies

When a breach affects more than 1,000 persons at one time, the business must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The CRA notification must include the timing, distribution, and content of the notice sent to affected individuals.

Methods of Notification

Businesses can provide notification through several methods:

• Written notice sent to the last known postal address
• Email notice if the affected person has consented to receive electronic communications
• Telephone notice provided directly to the affected person

Substitute Notice

Substitute notice is available if the business can demonstrate that:

• The cost of providing direct notice would exceed $250,000, or
• The affected class exceeds 500,000 persons, or
• The business lacks sufficient contact information

Substitute notice must consist of all of the following: email notice (where the business has an email address), conspicuous posting on the business's website, and notification to major statewide media.

Enforcement and Penalties

North Carolina's enforcement mechanism is notably aggressive compared to most states. Under N.C. Gen. Stat. 75-66, a violation of the Identity Theft Protection Act is a violation of N.C. Gen. Stat. 75-1.1, which prohibits unfair or deceptive trade practices (UDTP).

This classification has significant consequences:

Private Right of Action

Under N.C. Gen. Stat. 75-16, any person injured by a violation of Chapter 75 may bring a civil action. If damages are assessed, the court must award treble the amount of actual damages. This means affected consumers can sue businesses directly for breach notification failures.

Treble Damages

The treble damages provision under G.S. 75-16 applies automatically when a court finds a UDTP violation and assesses damages. This triples whatever compensatory damages the jury awards.

There is a limited exception: damages caused by acts or omissions of non-managerial employees are not trebled unless the business was negligent in training, supervision, or monitoring of those employees.

Attorney's Fees

Under N.C. Gen. Stat. 75-16.1, the court may award reasonable attorney's fees to the prevailing party. This further increases the financial exposure for businesses that fail to comply.

AG Enforcement

The North Carolina Attorney General can also bring enforcement actions under the UDTP statute, seeking injunctive relief, civil penalties, and restitution.

Exemptions

Federal Compliance Exemption

Financial institutions that maintain breach notification procedures in compliance with federal interagency guidance on response programs for unauthorized access to customer information under the Gramm-Leach-Bliley Act are exempt from the state breach notification requirements, provided they notify the AG as required.

HIPAA Entities

Entities subject to and in compliance with HIPAA's breach notification requirements are also exempt, provided they notify the AG.

Data Destruction Requirements

North Carolina also imposes obligations for the destruction of personal information records. Under N.C. Gen. Stat. 75-64, businesses must take reasonable measures to protect against unauthorized access to or use of personal information when destroying records. Acceptable methods include shredding, erasing, or otherwise making the information unreadable or undecipherable.

More North Carolina Laws

• North Carolina Recording Laws
• North Carolina Recording Laws
• North Carolina Data Privacy Laws
• North Carolina Recording Laws
• North Carolina Recording Laws
• North Carolina Lemon Laws
• North Carolina Recording Laws
• North Carolina Recording Laws

Sources and References

This article draws from the following official North Carolina government sources:

• N.C. Gen. Stat. 75-65 (Protection from Security Breaches) - Full text of North Carolina's breach notification statute
• N.C. Gen. Stat. 75-61 (Definitions) - Definitions including personal information and security breach
• N.C. Gen. Stat. Chapter 75, Article 2A (Identity Theft Protection) - Full text of the Identity Theft Protection Act
• N.C. Gen. Stat. Chapter 75, Article 1 (UDTP) - Unfair and Deceptive Trade Practices Act including treble damages
• NC DOJ: Security Breach Information - Attorney General breach reporting guidance
• NC DOJ: Report a Security Breach - Online breach reporting portal

This article provides general legal information about North Carolina data privacy laws and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in North Carolina for guidance specific to your situation.