North Carolina Data Breach
NC Gen. Stat. § 75-61, § 75-65
NC Gen. Stat. § 14-113.20
CITATION:
NC Gen. Stat. § 75-60 - § 75-66
Chapter 75 - Monopolies, Trusts and Consumer Protection
Article 2A - Identity Theft Protection Act.
§ 75-61. Definitions.
§ 75-65. Protection from security breaches.
§ 75-61. Definitions.
The following definitions apply in this Article:
(1) "Business". - A sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. Business shall not include any government or governmental subdivision or agency.
(2) "Consumer". - An individual.
(3) "Consumer report" or "credit report". - Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for any of the following:
a. Credit to be used primarily for personal, family, or household purposes.
b. Employment purposes.
c. Any other purpose authorized under 15 U.S.C. § 168l(b).
(4) "Consumer reporting agency". - Any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.
(5) "Credit card". - Has the same meaning as in section 103 of the Truth in Lending Act (15 U.S.C. § 160, et seq.).
(6) "Debit card". - Any card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services.
(7) "Disposal" includes the following:
a. The discarding or abandonment of records containing personal information.
b. The sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal information, or other nonpaper media upon which records of personal information are stored, or other equipment for nonpaper storage of information.
(8) "Encryption". - The use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
(9) "Person". - Any individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency, or other entity.
(10) "Personal information". - A person's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b). Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.
(11) "Proper identification". - Information generally deemed sufficient to identify a person. If a person is unable to reasonably identify himself or herself with the information described above, a consumer reporting agency may require additional information concerning the consumer's employment and personal or family history in order to verify the consumer's identity.
(11a) "Protected consumer". - An individual (i) who is under the age of 16 at the time a request for the placement of a security freeze is made pursuant to G.S. 75-63.1 or (ii) who is incapacitated or for whom a guardian or guardian ad litem has been appointed.
(11b) "Protected consumer security freeze". - A security freeze placed on a protected consumer's credit report or on a protected consumer's file pursuant to G.S. 75-63.1.
(11c) "Protected consumer's file". - A record that (i) identifies a protected consumer, (ii) is created by a consumer reporting agency solely for the purpose of complying with the requirements of G.S. 75-63.1, and (iii) may not be created or used to consider the protected consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
(12) "Records". - Any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.
(13) "Redaction". - The rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number is accessible as part of the data.
(13a) "Representative". - A person who provides to a consumer reporting agency sufficient proof of authority to act on behalf of a protected consumer.
(14) "Security breach". - An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.
(15) "Security freeze". - Notice placed in a credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer.
(16) "Sufficient proof of authority". - Either of the following:
a. A certified or official copy of the protected consumer's birth certificate, if the representative is a parent of the protected consumer.
b. Documentation that shows that a representative has authority to act on behalf of a protected consumer, including the following:
1. An order issued by a court of law.
2. A valid power of attorney.
3. A written, notarized statement signed by the person that expressly describes the authority of the representative to act on behalf of a protected consumer.
(17) "Sufficient proof of identification". - Information or documentation that identifies a protected consumer or representative, including the following:
a. A Social Security number or a copy of a Social Security card issued by the Social Security Administration.
b. A certified or official copy of a birth certificate issued by the entity authorized to issue the birth certificate.
c. A copy of a drivers license, an identification card issued by the Division of Motor Vehicles, or any other government-issued identification.
d. A copy of a bill, including a bill for telephone, sewer, septic tank, water, electric, oil, or natural gas service, that shows a name and home address. (2005-414, s. 1; 2015-193, s. 1.)
§ 75-65. Protection from security breaches.
(a) Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. For the purposes of this section, personal information shall not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.
(b) Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.
(c) The notice required by this section shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.
(d) The notice shall be clear and conspicuous. The notice shall include all of the following:
(1) A description of the incident in general terms.
(2) A description of the type of personal information that was subject to the unauthorized access and acquisition.
(3) A description of the general acts of the business to protect the personal information from further unauthorized access.
(4) A telephone number for the business that the person may call for further information and assistance, if one exists.
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
(6) The toll-free numbers and addresses for the major consumer reporting agencies.
(7) The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
(e) For purposes of this section, notice to affected persons may be provided by one of the following methods:
(1) Written notice.
(2) Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic notice provided that contact is made directly with the affected persons.
(4) Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:
a. E-mail notice when the business has an electronic mail address for the subject persons.
b. Conspicuous posting of the notice on the Web site page of the business, if one is maintained.
c. Notification to major statewide media.
(e1) In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.
(f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.
(g) Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable.
(h) A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or a credit union that is subject to and in compliance with the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration; and any revisions, additions, or substitutions relating to any of the said interagency guidance, shall be deemed to be in compliance with this section.
(i) A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.
(j) Causes of action arising under this Article may not be assigned. (2005-414, s. 1; 2009-355, s. 2; 2009-573, s. 10.)
NC Gen. Stat. § 14-113.20
Chapter 14 - Criminal Law
Article 19C - Identity Theft.
§ 14-113.20. Identity theft.
§ 14-113.20. Identity theft.
(a) A person who knowingly obtains, possesses, or uses identifying information of another person, living or dead, with the intent to fraudulently represent that the person is the other person for the purposes of making financial or credit transactions in the other person's name, to obtain anything of value, benefit, or advantage, or for the purpose of avoiding legal consequences is guilty of a felony punishable as provided in G.S. 14-113.22(a).
(b) The term "identifying information" as used in this Article includes the following:
(1) Social security or employer taxpayer identification numbers.
(2) Drivers license, State identification card, or passport numbers.
(3) Checking account numbers.
(4) Savings account numbers.
(5) Credit card numbers.
(6) Debit card numbers.
(7) Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).
(8) Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.
(9) Digital signatures.
(10) Any other numbers or information that can be used to access a person's financial resources.
(11) Biometric data.
(12) Fingerprints.
(13) Passwords.
(14) Parent's legal surname prior to marriage.
(c) It shall not be a violation under this Article for a person to do any of the following:
(1) Lawfully obtain credit information in the course of a bona fide consumer or commercial transaction.
(2) Lawfully exercise, in good faith, a security interest or a right of offset by a creditor or financial institution.
(3) Lawfully comply, in good faith, with any warrant, court order, levy, garnishment, attachment, or other judicial or administrative order, decree, or directive, when any party is required to do so. (1999-449, s. 1; 2000-140, s. 37; 2002-175, s. 4; 2005-414, s. 6.)
§ 14-113.20A. Trafficking in stolen identities.
(a) It is unlawful for a person to sell, transfer, or purchase the identifying information of another person with the intent to commit identity theft, or to assist another person in committing identity theft, as set forth in G.S. 14-113.20.
(b) A violation of this section is a felony punishable as provided in G.S. 14-113.22(a1). (2002-175, s. 5; 2005-414, s. 7(2).)
NC Gen. Stat. § 1-539.2C
Chapter 1 - Civil Procedure
Article 43 - Nuisance and Other Wrongs.
§ 1-539.2C. Damages for identity theft.
(a) Any person whose property or person is injured by reason of an act made unlawful by Article 19C of Chapter 14 of the General Statutes, or a violation of G.S. 75-66, may sue for civil damages. For each unlawful act, or each violation of G.S. 75-66, damages may be
(1) In an amount of up to five thousand dollars ($5,000), but no less than five hundred dollars ($500.00), or
(2) Three times the amount of actual damages,
whichever amount is greater. A person seeking damages as set forth in this section may also institute a civil action to enjoin and restrain future acts that would constitute a violation of this section. The court, in an action brought under this section, may award reasonable attorneys' fees to the prevailing party.
(b) If the identifying information of a deceased person is used in a manner made unlawful by Article 19C of Chapter 14 of the General Statutes, or by a violation of G.S. 75-66, the deceased person's estate shall have the right to recover damages pursuant to subsection (a) of this section.
(c) The venue for any civil action brought under this section shall be the county in which the plaintiff resides or any county in which any part of the alleged violation of G.S. 75-66, G.S. 14-113.20 or G.S. 14-113.20A took place, regardless of whether the defendant was ever actually present in that county. Civil actions under this section must be brought within three years from the date on which the identity of the wrongdoer was discovered or reasonably should have been discovered.
(d) Civil action under this section does not depend on whether or not a criminal prosecution has been or will be instituted under Article 19C of Chapter 14 of the General Statutes for the acts which are the subject of the civil action. The rights and remedies provided by this section are in addition to any other rights and remedies provided by law. (2002-175, s. 8; 2005-414, s. 9; 2007-534, s. 3.)
For more information, see here: https://ncleg.gov/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html
AND
https://ncleg.gov/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_14/Article_19C.html
AND
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.