Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws up to $5,000 for each offense

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Breach reporting to the Consumer Protection Division of the Attorney General’s Office must be completed without unreasonable delay, when the business provides consumer notice to an affected person.
  • In the event a business provides notice to more than 1,000 persons, breach reporting is required to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • For violations of the law pertaining to security breaches and destruction of personal information records, the court may impose a civil penalty against of up to $5,000 for each offence. If a violation is continuous, each week of the continued violation may be considered a separate offense. Restitution of fees to the attorney general may be granted.
  • Laws mandate that specific details must be included in the notice to consumers.
  • For violations of the law pertaining to destruction of personal information records, the court may impose a civil penalty up to $5,000 for each violation.
  • For violations involving the publication of personal information, a civil suit may be brought with damages up to $5,000, but no less than $500.00, or three times the amount of actual damages, whichever amount is greater.
  • There are separate laws for the protection of personal information relating to medical and insurance.
  • If vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notification.
  • If your breach affects residents in other states, you will need to notify those residents using the state’s rules.
Statutes and Laws
  • N.C. Gen. Stat. §§ 75-60 – 75-66 Identity Theft Protection Act (2005)

    Referenced citations within the Identify Theft Protection Act:

    Violations are a violation of N.C. Gen. Stat § § 75-1.1

    N.C. Gen. Stat. § 14-113.8(6) (1967)

    N.C. Gen. Stat. § 14-113.20(b) Defining the term “identifying information” (1999)

    N.C. Gen. Stat. § 58-2-105 Confidentiality of medical and credentialing records (1989)

    N.C. Gen. Stat. § 58-39-45 Access to recorded personal information (1981)

    N.C. Gen. Stat. § 58-39-75 Disclosure limitations and conditions (1981)

    N.C. Gen. Stat. § 132-1.10 Social security numbers and other personal identifying information (2005)

BAck to map