(a) Any business thatowns or licenses personal information of residents of North Carolina or anybusiness that conducts business in North Carolina that owns or licensespersonal information in any form (whether computerized, paper, or otherwise)shall provide notice to the affected person that there has been a securitybreach following discovery or notification of the breach. The disclosurenotification shall be made without unreasonable delay, consistent with thelegitimate needs of law enforcement, as provided in subsection (c) of thissection, and consistent with any measures necessary to determine sufficientcontact information, determine the scope of the breach and restore thereasonable integrity, security, and confidentiality of the data system. For thepurposes of this section, personal information shall not include electronicidentification numbers, electronic mail names or addresses, Internet accountnumbers, Internet identification names, parent's legal surname prior tomarriage, or a password unless this information would permit access to aperson's financial account or resources.
(b) Any business thatmaintains or possesses records or data containing personal information ofresidents of North Carolina that the business does not own or license, or anybusiness that conducts business in North Carolina that maintains or possessesrecords or data containing personal information that the business does not ownor license shall notify the owner or licensee of the information of anysecurity breach immediately following discovery of the breach, consistent withthe legitimate needs of law enforcement as provided in subsection (c) of thissection.
(c) The notice requiredby this section shall be delayed if a law enforcement agency informs thebusiness that notification may impede a criminal investigation or jeopardizenational or homeland security, provided that such request is made in writing orthe business documents such request contemporaneously in writing, including thename of the law enforcement officer making the request and the officer's lawenforcement agency engaged in the investigation. The notice required by thissection shall be provided without unreasonable delay after the law enforcementagency communicates to the business its determination that notice will nolonger impede the investigation or jeopardize national or homeland security.
(d) The notice shall beclear and conspicuous. The notice shall include all of the following:
(1) A description of theincident in general terms.
(2) A description of thetype of personal information that was subject to the unauthorized access andacquisition.
(3) A description of thegeneral acts of the business to protect the personal information from furtherunauthorized access.
(4) A telephone numberfor the business that the person may call for further information andassistance, if one exists.
(5) Advice that directsthe person to remain vigilant by reviewing account statements and monitoringfree credit reports.
(6) The toll‑freenumbers and addresses for the major consumer reporting agencies.
(7) The toll‑freenumbers, addresses, and Web site addresses for the Federal Trade Commission andthe North Carolina Attorney General's Office, along with a statement that theindividual can obtain information from these sources about preventing identitytheft.
(e) For purposes ofthis section, notice to affected persons may be provided by one of thefollowing methods:
(1) Written notice.
(2) Electronic notice,for those persons for whom it has a valid e‑mail address and who haveagreed to receive communications electronically if the notice provided isconsistent with the provisions regarding electronic records and signatures fornotices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic noticeprovided that contact is made directly with the affected persons.
(4) Substitute notice,if the business demonstrates that the cost of providing notice would exceed twohundred fifty thousand dollars ($250,000) or that the affected class of subjectpersons to be notified exceeds 500,000, or if the business does not havesufficient contact information or consent to satisfy subdivisions (1), (2), or(3) of this subsection, for only those affected persons without sufficientcontact information or consent, or if the business is unable to identifyparticular affected persons, for only those unidentifiable affected persons.Substitute notice shall consist of all the following:
a. E‑mail noticewhen the business has an electronic mail address for the subject persons.
b. Conspicuous postingof the notice on the Web site page of the business, if one is maintained.
c. Notification tomajor statewide media.
(e1) In the event abusiness provides notice to an affected person pursuant to this section, thebusiness shall notify without unreasonable delay the Consumer ProtectionDivision of the Attorney General's Office of the nature of the breach, thenumber of consumers affected by the breach, steps taken to investigate the breach,steps taken to prevent a similar breach in the future, and informationregarding the timing, distribution, and content of the notice.
(f) In the event abusiness provides notice to more than 1,000 persons at one time pursuant tothis section, the business shall notify, without unreasonable delay, theConsumer Protection Division of the Attorney General's Office and all consumerreporting agencies that compile and maintain files on consumers on a nationwidebasis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, andcontent of the notice.
(g) Any waiver of theprovisions of this Article is contrary to public policy and is void andunenforceable.
(h) A financialinstitution that is subject to and in compliance with the Federal Interagency GuidanceResponse Programs for Unauthorized Access to Consumer Information and CustomerNotice, issued on March 7, 2005, by the Board of Governors of the FederalReserve System, the Federal Deposit Insurance Corporation, the Office of theComptroller of the Currency, and the Office of Thrift Supervision; or a creditunion that is subject to and in compliance with the Final Guidance on ResponsePrograms for Unauthorized Access to Member Information and Member Notice,issued on April 14, 2005, by the National Credit Union Administration; and anyrevisions, additions, or substitutions relating to any of the said interagencyguidance, shall be deemed to be in compliance with this section.
(i) A violation ofthis section is a violation of G.S. 75‑1.1. No private right of actionmay be brought by an individual for a violation of this section unless suchindividual is injured as a result of the violation.
(j) Causes of actionarising under this Article may not be assigned. (2005‑414, s. 1; 2009‑355,s. 2; 2009‑573, s. 10.)
(a) Any business thatowns or licenses personal information of residents of North Carolina or anybusiness that conducts business in North Carolina that owns or licensespersonal information in any form (whether computerized, paper, or otherwise)shall provide notice to the affected person that there has been a securitybreach following discovery or notification of the breach. The disclosurenotification shall be made without unreasonable delay, consistent with thelegitimate needs of law enforcement, as provided in subsection (c) of thissection, and consistent with any measures necessary to determine sufficientcontact information, determine the scope of the breach and restore thereasonable integrity, security, and confidentiality of the data system. For thepurposes of this section, personal information shall not include electronicidentification numbers, electronic mail names or addresses, Internet accountnumbers, Internet identification names, parent's legal surname prior tomarriage, or a password unless this information would permit access to aperson's financial account or resources.
(b) Any business thatmaintains or possesses records or data containing personal information ofresidents of North Carolina that the business does not own or license, or anybusiness that conducts business in North Carolina that maintains or possessesrecords or data containing personal information that the business does not ownor license shall notify the owner or licensee of the information of anysecurity breach immediately following discovery of the breach, consistent withthe legitimate needs of law enforcement as provided in subsection (c) of thissection.
(c) The notice requiredby this section shall be delayed if a law enforcement agency informs thebusiness that notification may impede a criminal investigation or jeopardizenational or homeland security, provided that such request is made in writing orthe business documents such request contemporaneously in writing, including thename of the law enforcement officer making the request and the officer's lawenforcement agency engaged in the investigation. The notice required by thissection shall be provided without unreasonable delay after the law enforcementagency communicates to the business its determination that notice will nolonger impede the investigation or jeopardize national or homeland security.
(d) The notice shall beclear and conspicuous. The notice shall include all of the following:
(1) A description of theincident in general terms.
(2) A description of thetype of personal information that was subject to the unauthorized access andacquisition.
(3) A description of thegeneral acts of the business to protect the personal information from furtherunauthorized access.
(4) A telephone numberfor the business that the person may call for further information andassistance, if one exists.
(5) Advice that directsthe person to remain vigilant by reviewing account statements and monitoringfree credit reports.
(6) The toll‑freenumbers and addresses for the major consumer reporting agencies.
(7) The toll‑freenumbers, addresses, and Web site addresses for the Federal Trade Commission andthe North Carolina Attorney General's Office, along with a statement that theindividual can obtain information from these sources about preventing identitytheft.
(e) For purposes ofthis section, notice to affected persons may be provided by one of thefollowing methods:
(1) Written notice.
(2) Electronic notice,for those persons for whom it has a valid e‑mail address and who haveagreed to receive communications electronically if the notice provided isconsistent with the provisions regarding electronic records and signatures fornotices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic noticeprovided that contact is made directly with the affected persons.
(4) Substitute notice,if the business demonstrates that the cost of providing notice would exceed twohundred fifty thousand dollars ($250,000) or that the affected class of subjectpersons to be notified exceeds 500,000, or if the business does not havesufficient contact information or consent to satisfy subdivisions (1), (2), or(3) of this subsection, for only those affected persons without sufficientcontact information or consent, or if the business is unable to identifyparticular affected persons, for only those unidentifiable affected persons.Substitute notice shall consist of all the following:
a. E‑mail noticewhen the business has an electronic mail address for the subject persons.
b. Conspicuous postingof the notice on the Web site page of the business, if one is maintained.
c. Notification tomajor statewide media.
(e1) In the event abusiness provides notice to an affected person pursuant to this section, thebusiness shall notify without unreasonable delay the Consumer ProtectionDivision of the Attorney General's Office of the nature of the breach, thenumber of consumers affected by the breach, steps taken to investigate the breach,steps taken to prevent a similar breach in the future, and informationregarding the timing, distribution, and content of the notice.
(f) In the event abusiness provides notice to more than 1,000 persons at one time pursuant tothis section, the business shall notify, without unreasonable delay, theConsumer Protection Division of the Attorney General's Office and all consumerreporting agencies that compile and maintain files on consumers on a nationwidebasis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, andcontent of the notice.
(g) Any waiver of theprovisions of this Article is contrary to public policy and is void andunenforceable.
(h) A financialinstitution that is subject to and in compliance with the Federal Interagency GuidanceResponse Programs for Unauthorized Access to Consumer Information and CustomerNotice, issued on March 7, 2005, by the Board of Governors of the FederalReserve System, the Federal Deposit Insurance Corporation, the Office of theComptroller of the Currency, and the Office of Thrift Supervision; or a creditunion that is subject to and in compliance with the Final Guidance on ResponsePrograms for Unauthorized Access to Member Information and Member Notice,issued on April 14, 2005, by the National Credit Union Administration; and anyrevisions, additions, or substitutions relating to any of the said interagencyguidance, shall be deemed to be in compliance with this section.
(i) A violation ofthis section is a violation of G.S. 75‑1.1. No private right of actionmay be brought by an individual for a violation of this section unless suchindividual is injured as a result of the violation.
(j) Causes of actionarising under this Article may not be assigned. (2005‑414, s. 1; 2009‑355,s. 2; 2009‑573, s. 10.)
(a) Any business thatowns or licenses personal information of residents of North Carolina or anybusiness that conducts business in North Carolina that owns or licensespersonal information in any form (whether computerized, paper, or otherwise)shall provide notice to the affected person that there has been a securitybreach following discovery or notification of the breach. The disclosurenotification shall be made without unreasonable delay, consistent with thelegitimate needs of law enforcement, as provided in subsection (c) of thissection, and consistent with any measures necessary to determine sufficientcontact information, determine the scope of the breach and restore thereasonable integrity, security, and confidentiality of the data system. For thepurposes of this section, personal information shall not include electronicidentification numbers, electronic mail names or addresses, Internet accountnumbers, Internet identification names, parent's legal surname prior tomarriage, or a password unless this information would permit access to aperson's financial account or resources.
(b) Any business thatmaintains or possesses records or data containing personal information ofresidents of North Carolina that the business does not own or license, or anybusiness that conducts business in North Carolina that maintains or possessesrecords or data containing personal information that the business does not ownor license shall notify the owner or licensee of the information of anysecurity breach immediately following discovery of the breach, consistent withthe legitimate needs of law enforcement as provided in subsection (c) of thissection.
(c) The notice requiredby this section shall be delayed if a law enforcement agency informs thebusiness that notification may impede a criminal investigation or jeopardizenational or homeland security, provided that such request is made in writing orthe business documents such request contemporaneously in writing, including thename of the law enforcement officer making the request and the officer's lawenforcement agency engaged in the investigation. The notice required by thissection shall be provided without unreasonable delay after the law enforcementagency communicates to the business its determination that notice will nolonger impede the investigation or jeopardize national or homeland security.
(d) The notice shall beclear and conspicuous. The notice shall include all of the following:
(1) A description of theincident in general terms.
(2) A description of thetype of personal information that was subject to the unauthorized access andacquisition.
(3) A description of thegeneral acts of the business to protect the personal information from furtherunauthorized access.
(4) A telephone numberfor the business that the person may call for further information andassistance, if one exists.
(5) Advice that directsthe person to remain vigilant by reviewing account statements and monitoringfree credit reports.
(6) The toll‑freenumbers and addresses for the major consumer reporting agencies.
(7) The toll‑freenumbers, addresses, and Web site addresses for the Federal Trade Commission andthe North Carolina Attorney General's Office, along with a statement that theindividual can obtain information from these sources about preventing identitytheft.
(e) For purposes ofthis section, notice to affected persons may be provided by one of thefollowing methods:
(1) Written notice.
(2) Electronic notice,for those persons for whom it has a valid e‑mail address and who haveagreed to receive communications electronically if the notice provided isconsistent with the provisions regarding electronic records and signatures fornotices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic noticeprovided that contact is made directly with the affected persons.
(4) Substitute notice,if the business demonstrates that the cost of providing notice would exceed twohundred fifty thousand dollars ($250,000) or that the affected class of subjectpersons to be notified exceeds 500,000, or if the business does not havesufficient contact information or consent to satisfy subdivisions (1), (2), or(3) of this subsection, for only those affected persons without sufficientcontact information or consent, or if the business is unable to identifyparticular affected persons, for only those unidentifiable affected persons.Substitute notice shall consist of all the following:
a. E‑mail noticewhen the business has an electronic mail address for the subject persons.
b. Conspicuous postingof the notice on the Web site page of the business, if one is maintained.
c. Notification tomajor statewide media.
(e1) In the event abusiness provides notice to an affected person pursuant to this section, thebusiness shall notify without unreasonable delay the Consumer ProtectionDivision of the Attorney General's Office of the nature of the breach, thenumber of consumers affected by the breach, steps taken to investigate the breach,steps taken to prevent a similar breach in the future, and informationregarding the timing, distribution, and content of the notice.
(f) In the event abusiness provides notice to more than 1,000 persons at one time pursuant tothis section, the business shall notify, without unreasonable delay, theConsumer Protection Division of the Attorney General's Office and all consumerreporting agencies that compile and maintain files on consumers on a nationwidebasis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, andcontent of the notice.
(g) Any waiver of theprovisions of this Article is contrary to public policy and is void andunenforceable.
(h) A financialinstitution that is subject to and in compliance with the Federal Interagency GuidanceResponse Programs for Unauthorized Access to Consumer Information and CustomerNotice, issued on March 7, 2005, by the Board of Governors of the FederalReserve System, the Federal Deposit Insurance Corporation, the Office of theComptroller of the Currency, and the Office of Thrift Supervision; or a creditunion that is subject to and in compliance with the Final Guidance on ResponsePrograms for Unauthorized Access to Member Information and Member Notice,issued on April 14, 2005, by the National Credit Union Administration; and anyrevisions, additions, or substitutions relating to any of the said interagencyguidance, shall be deemed to be in compliance with this section.
(i) A violation ofthis section is a violation of G.S. 75‑1.1. No private right of actionmay be brought by an individual for a violation of this section unless suchindividual is injured as a result of the violation.
(j) Causes of actionarising under this Article may not be assigned. (2005‑414, s. 1; 2009‑355,s. 2; 2009‑573, s. 10.)
