# North Carolina Consumer Privacy Law[^about] North Carolina has no comprehensive consumer-privacy statute. The Identity Theft Protection Act governs breach notice, Social Security numbers, data disposal, and security freezes, with express Chapter 75 bridges for specific sections. ## Which privacy laws apply to your business in North Carolina? {#which-privacy-laws-apply} **Short answer.** There is no comprehensive North Carolina consumer-privacy law. The operative state statute is the Identity Theft Protection Act [^itpa-7560-title], an Article of Chapter 75 that governs breach notification, Social Security numbers, record disposal, and credit-report security freezes rather than data handling generally. Its breach-notice duty reaches any business that owns or licenses personal information of North Carolina residents, or that conducts business in North Carolina and owns or licenses personal information in any form — computerized, paper, or otherwise [^itpa-7565-scope] — with no revenue or consumer-volume threshold. North Carolina residents have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of its sale, and businesses face no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties. What the state has instead is the Identity Theft Protection Act (ITPA), N.C. Gen. Stat. §§ 75-60 through 75-66, plus a handful of sector-specific statutes: school-technology operators may not target advertising based on school-use information or sell or rent student data [^itpa-115c-student-targeting] [^itpa-115c-student], and health insurers may not refuse coverage, raise group premium rates, or charge higher premiums because of genetic information [^itpa-583215-genetic]. The rest of a North Carolina privacy program rides the federal and sectoral overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide; the Gramm-Leach-Bliley Act governs financial institutions; HIPAA governs covered health entities and their business associates; and the Children's Online Privacy Protection Act governs services directed to children under 13. None of those is a North Carolina statute, but together with the ITPA they are what actually shapes a compliant North Carolina-facing program today. Pending proposals could change that, but no comprehensive consumer-privacy law has been enacted as of this review. A program built to the ITPA and the federal overlay would upgrade rather than restart if North Carolina later adopted an omnibus privacy statute. ## Can a consumer sue your business over a data breach in North Carolina? {#breach-lawsuit-treble-damages} **Short answer.** Yes, if the consumer was injured and the violated section supplies the bridge. The breach-notification section itself says a violation is a violation of the state's unfair-trade-practices act, and an injured individual may bring a private action [^bridge-7565-per-se]. Once a Chapter 75 violation injures a person, the damages remedy is not discretionary: judgment shall be rendered for treble the amount fixed by the verdict [^bridge-7516-treble]. A prevailing party may also recover a reasonable attorney fee in the court's discretion on a finding of willfulness and an unwarranted refusal to resolve the matter [^bridge-75161-fees]. This three-statute chain is the defining feature of the ITPA sections that expressly use it. Breach notification, Social Security number protection, consumer security freezes, protected-consumer freezes, and record disposal each declare that a violation is a violation of N.C. Gen. Stat. § 75-1.1 [^bridge-7565-per-se] [^bridge-7562-ssn] [^bridge-7563-freeze] [^bridge-75631-protected-freeze] [^bridge-7564-disposal], the section declaring unfair or deceptive acts or practices in or affecting commerce unlawful [^bridge-7511-udap]. Section 75-16 then supplies the private action and its mandatory trebling. The practical consequence: a plaintiff who proves one of those bridged violations does not need to separately establish that the conduct was unfair or deceptive — the statute does that work — and a court that assesses damages has no discretion to decline trebling. Two limits keep the bridge from being a strict-liability lottery. First, injury is an element: § 75-65 says no private action may be brought unless the individual is injured as a result of the violation, so a breach with no resulting harm does not by itself support a suit [^bridge-7565-per-se]. Second, causes of action under the Article may not be assigned, which cuts against claim aggregation by third parties [^bridge-7565-assignment]. Neither limit changes the headline for businesses: a notification failure after a breach converts directly into treble-damages exposure to every injured resident. ## What must your North Carolina privacy policy contain? {#privacy-policy-contents} **Short answer.** No North Carolina statute requires a general consumer privacy policy or fixes what it must say. The binding rule is that whatever you publish has to be true: a materially misleading policy statement can support a deception claim under § 75-1.1 [^policy-7511-udap] and under Section 5 of the FTC Act [^policy-ftc5-deceptive], if the required elements are met. In North Carolina that truthfulness rule has unusual teeth for injured consumers, because damages assessed in a private Chapter 75 action are trebled [^policy-7516-treble]. The drafting question in North Carolina is therefore less *what must be included* and more *does the policy match actual practice*. Where a sectoral regime applies, that regime supplies the contents: a financial institution may not share nonpublic personal information with nonaffiliated third parties without first giving the consumer a GLBA privacy notice [^policy-glba-notice]; a HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^policy-hipaa-notice]; and an operator of a child-directed service must post notice of what it collects from children, how it uses it, and its disclosure practices [^policy-coppa-notice]. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it. Because trebling under § 75-16 is automatic once damages are assessed, an inaccurate privacy policy is structurally more dangerous in North Carolina than in states where multiplied damages are left to the court's discretion: every material promise in the policy can become part of a deception theory for an injured reader if the statement is misleading and damages requirements are met. ## What must your contracts with vendors say? {#vendor-contracts} **Short answer.** North Carolina has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general commercial contracts. The state does impose a disposal duty: covered businesses must take reasonable measures against unauthorized access to or use of personal information in connection with or after disposal [^vendor-7564-duty]. For paper and electronic media, those measures must include monitored policies for shredding, burning, pulverizing, destroying, or erasing records so the information cannot practicably be read or reconstructed [^vendor-7564-measures]. The vendor contract the state addresses directly is an implementation option for that disposal duty: a business may, after due diligence, enter into a written contract with — and monitor compliance by — a record-destruction vendor to destroy personal information consistently with the disposal statute [^vendor-7564-contract]. The disposal statute is worth taking seriously because it has its own express § 75-1.1 bridge, with one employee-specific softening: damages caused by nonmanagerial employees are not trebled unless the business was negligent in training, supervising, or monitoring them [^vendor-7564-treble]. Due diligence on a destruction vendor should ordinarily include reviewing an independent audit, checking references or third-party certification, or evaluating the vendor's information-security policies — the statute lists those routes itself. Data-hosting and service-provider relationships are touched only on the breach side: a business that maintains or possesses records containing personal information it does not own or license must notify the owner or licensee immediately following discovery of a security breach [^vendor-7565-maintainer]. That allocation — the vendor tells you, you tell your customers — is a reason to put breach-notice timing, cooperation, and cost terms into every vendor agreement even though no North Carolina statute requires them. Where a federal regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers and bind them by contract to maintain safeguards [^vendor-glba-safeguards], and HIPAA requires a business-associate agreement with required use limits, safeguards, breach reporting, and subcontractor flow-down terms [^vendor-hipaa-baa]. Outside those verticals, carrying the same protections forward — processing limited to instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion at the end of the engagement — is best practice rather than state-law compulsion. ## What rights do North Carolina consumers have over their personal data? {#consumer-rights} **Short answer.** Not the comprehensive-statute set. North Carolina law gives consumers no general rights to access, delete, correct, or port their personal data, no right to opt out of its sale or of targeted advertising, and no requirement that businesses honor universal opt-out signals such as Global Privacy Control. The rights that do exist are narrower and identity-theft-shaped: any consumer may place a security freeze on their credit report [^rights-7563-freeze], a business may not sell or intentionally disclose a Social Security number to a third party without written consent where it has reason to believe the recipient lacks a legitimate purpose [^rights-7562-ssn], and a person who has objected to disclosure can sue anyone who knowingly publishes their personal information anyway [^rights-7566-publication]. The security freeze is the most operationally complete right. A freeze prohibits a consumer reporting agency from releasing the consumer's credit report or any information in it without the consumer's express authorization [^rights-7563-effect], and electronic placement, lifting, and removal must be free [^rights-7563-free]. A parallel mechanism protects children under 16 and incapacitated adults [^rights-7561-protected-definition]: a consumer reporting agency must place a protected-consumer security freeze within 30 days of a qualifying request by the protected consumer's representative [^rights-75631-protected]. The publication right under § 75-66 is narrow but carries its own civil action: any person whose property or person is injured by a violation may sue for civil damages [^rights-7566-remedy]. Its definition of *personal information* is broader than the breach statute's, sweeping in biometric data, fingerprints, and passwords. Beyond those, North Carolina consumers rely on sector-specific protections — student data, genetic information in insurance, and the federal regimes — rather than on a general data-rights statute. Pending proposals could change that, but no comprehensive consumer-privacy law has been enacted as of this review. ## When must you notify people of a data breach in North Carolina? {#breach-notification} **Short answer.** Without unreasonable delay, once you discover or are notified of a security breach. The notification may be paced only by the legitimate needs of law enforcement and by measures necessary to determine contact information, determine the scope of the breach, and restore the integrity, security, and confidentiality of the data system [^breach-7565-timing]. A *security breach* is an incident of unauthorized access to and acquisition of unencrypted and unredacted records containing personal information where illegal use has occurred, is reasonably likely to occur, or creates a material risk of harm to a consumer; encrypted records count if the confidential process or key is also acquired [^breach-7561-definition]. Every consumer-noticed breach also triggers a report to the Attorney General's Consumer Protection Division — there is no headcount floor [^breach-7565-ag]. This is where North Carolina imposes its hardest operational duties, and the statutory text quoted here reflects the section as amended in 2025 by S.L. 2025-25, § 29. *Personal information* means a person's first name or initial and last name combined with identifying information as defined in the State's identity-theft law [^breach-7561-personal-info]; for breach purposes, the statute excludes electronic identification numbers, email names or addresses, internet account numbers, internet identification names, a parent's legal surname before marriage, and passwords unless that information would permit access to a person's financial account or resources [^breach-7565-exclusions]. Encryption and redaction are built into the trigger [^breach-7561-encryption] [^breach-7561-redaction], and the harm element (illegal use occurred, is reasonably likely, or material risk of harm) gives the statute a risk threshold many state breach laws lack. The notice itself has fixed contents: a general description of the incident, the type of personal information involved, the business's protective acts, a contact number, advice to remain vigilant, and the contact details for the consumer reporting agencies, the FTC, and the North Carolina Attorney General's Office [^breach-7565-contents]. Written, electronic, and direct telephonic notice are all permitted, with substitute notice available above a 500,000-person or 250,000-dollar threshold or where contact information, consent, or affected-person identification is lacking [^breach-7565-substitute]. When notice goes to more than 1,000 persons at one time, the business must also notify the nationwide consumer reporting agencies of the timing, distribution, and content of the notice [^breach-7565-cra]. The Attorney General report is not a formality: the statutory report must describe the nature of the breach, the number of affected consumers, investigation and prevention steps, and the timing, distribution, and content of the consumer notice [^breach-7565-ag]. Assume a North Carolina breach notice may draw regulatory attention, and remember from the private-lawsuit discussion above that a notification failure is per se a § 75-1.1 violation carrying treble-damages exposure to injured residents [^breach-7565-per-se]. ## How is privacy law enforced in North Carolina? {#ag-enforcement} **Short answer.** For injured consumers, enforcement turns on the specific ITPA sections that expressly bridge into § 75-1.1 and on Chapter 75's civil action. The breach-notification section says a violation is a § 75-1.1 violation and allows a private action only for an injured individual [^enforce-7565-per-se]; § 75-16 then gives an injured person a right of action and requires trebling when damages are assessed [^enforce-7516-treble]. There is no cure period, no right-to-fix window, and no contracting around the Article: any waiver of its provisions is contrary to public policy and is void and unenforceable [^enforce-7565-waiver]. The absence of a cure period is a structural point, not an oversight — North Carolina has no comprehensive privacy act of the kind that typically grants one, so enforcement follows the state's existing unfair-and-deceptive-practices framework for bridged claims [^enforce-7511-udap]. The Attorney General's Consumer Protection Division is the operative privacy regulator for breach reporting because every consumer-noticed breach report must be sent there, with the nature of the breach, affected-consumer count, investigation steps, prevention steps, and notice details [^enforce-7565-ag-report]. Pending proposals could change that, but no comprehensive consumer-privacy law has been enacted as of this review. The durable planning assumption is the current one: injured-consumer treble-damages suits where a section expressly bridges to § 75-1.1, Attorney General breach-report intake under § 75-65(e1), and sector regulators (the FTC, federal banking agencies, HHS) layered on top for businesses inside the federal regimes. For the student-privacy statute the Attorney General is also the named enforcer — it may bring a civil action for injunctive and other equitable relief, and that section creates no private right of action [^enforce-115c-ag]. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not North Carolina. This article synthesizes North Carolina primary law and is not legal advice from a North Carolina-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^itpa-7560-title]: **N.C. Gen. Stat. § 75-60** — "This Article shall be known and may be cited as the ‘Identity Theft Protection Act’." *N.C. Gen. Stat. § 75-60.* [^itpa-7565-scope]: **N.C. Gen. Stat. § 75-65** — "Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach." *N.C. Gen. Stat. § 75-65(a).* [^itpa-115c-student-targeting]: **N.C. Gen. Stat. § 115C-401.2** — "Engage in targeted advertising on the operator's site, service, or application, or target advertising on any other site, service, or application if the targeting of the advertising is based on any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's site, service, or application for K-12 school purposes." *N.C. Gen. Stat. § 115C-401.2(b)(1).* [^itpa-115c-student]: **N.C. Gen. Stat. § 115C-401.2** — "Sell or rent a student's information, including covered information." *N.C. Gen. Stat. § 115C-401.2(b)(3).* [^itpa-583215-genetic]: **N.C. Gen. Stat. § 58-3-215** — "No insurer shall: (1) Raise the premium or contribution rates paid by a group for a group health benefit plan on the basis of genetic information obtained about an individual member of the group. (2) Refuse to issue or deliver a health benefit plan because of genetic information obtained about any person to be insured by the health benefit plan. (3) Charge a higher premium rate or charge for a health benefit plan because of genetic information obtained about any person to be insured by the health benefit plan." *N.C. Gen. Stat. § 58-3-215(c).* [^bridge-7565-per-se]: **N.C. Gen. Stat. § 75-65** — "A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation." *N.C. Gen. Stat. § 75-65(i).* [^bridge-7516-treble]: **N.C. Gen. Stat. § 75-16** — "If any person shall be injured or the business of any person, firm or corporation shall be broken up, destroyed or injured by reason of any act or thing done by any other person, firm or corporation in violation of the provisions of this Chapter, such person, firm or corporation so injured shall have a right of action on account of such injury done, and if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict." *N.C. Gen. Stat. § 75-16.* [^bridge-75161-fees]: **N.C. Gen. Stat. § 75-16.1** — "In any suit instituted by a person who alleges that the defendant violated G.S. 75-1.1, the presiding judge may, in his discretion, allow a reasonable attorney fee to the duly licensed attorney representing the prevailing party, such attorney fee to be taxed as a part of the court costs and payable by the losing party, upon a finding by the presiding judge that: (1) The party charged with the violation has willfully engaged in the act or practice, and there was an unwarranted refusal by such party to fully resolve the matter which constitutes the basis of such suit" *N.C. Gen. Stat. § 75-16.1.* [^bridge-7562-ssn]: **N.C. Gen. Stat. § 75-62** — "A violation of this section is a violation of G.S. 75-1.1." *N.C. Gen. Stat. § 75-62(d).* [^bridge-7563-freeze]: **N.C. Gen. Stat. § 75-63** — "A violation of this section is a violation of G.S. 75-1.1." *N.C. Gen. Stat. § 75-63(g).* [^bridge-75631-protected-freeze]: **N.C. Gen. Stat. § 75-63.1** — "A violation of this section is a violation of G.S. 75-1.1." *N.C. Gen. Stat. § 75-63.1(g).* [^bridge-7564-disposal]: **N.C. Gen. Stat. § 75-64** — "A violation of this section is a violation of G.S. 75-1.1, but any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75-16 unless the business was negligent in the training, supervision, or monitoring of those employees." *N.C. Gen. Stat. § 75-64(f).* [^bridge-7511-udap]: **N.C. Gen. Stat. § 75-1.1** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful." *N.C. Gen. Stat. § 75-1.1(a).* [^bridge-7565-assignment]: **N.C. Gen. Stat. § 75-65** — "Causes of action arising under this Article may not be assigned." *N.C. Gen. Stat. § 75-65(j).* [^policy-7511-udap]: **N.C. Gen. Stat. § 75-1.1** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful." *N.C. Gen. Stat. § 75-1.1(a).* [^policy-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^policy-7516-treble]: **N.C. Gen. Stat. § 75-16** — "if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict" *N.C. Gen. Stat. § 75-16.* [^policy-glba-notice]: **GLBA § 502** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* [^policy-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* [^policy-coppa-notice]: **COPPA** — "to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator’s disclosure practices for such information" *15 U.S.C. § 6502(b)(1)(A)(i).* [^vendor-7564-duty]: **N.C. Gen. Stat. § 75-64** — "Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal." *N.C. Gen. Stat. § 75-64(a).* [^vendor-7564-measures]: **N.C. Gen. Stat. § 75-64** — "The reasonable measures must include: (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed. (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed." *N.C. Gen. Stat. § 75-64(b)(1)-(2).* [^vendor-7564-contract]: **N.C. Gen. Stat. § 75-64** — "A business may, after due diligence, enter into a written contract with, and monitor compliance by, another party engaged in the business of record destruction to destroy personal information in a manner consistent with this section." *N.C. Gen. Stat. § 75-64(c).* [^vendor-7564-treble]: **N.C. Gen. Stat. § 75-64** — "A violation of this section is a violation of G.S. 75-1.1, but any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75-16 unless the business was negligent in the training, supervision, or monitoring of those employees." *N.C. Gen. Stat. § 75-64(f).* [^vendor-7565-maintainer]: **N.C. Gen. Stat. § 75-65** — "Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section." *N.C. Gen. Stat. § 75-65(b).* [^vendor-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^vendor-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information" *45 C.F.R. § 164.504(e)(2).* [^rights-7563-freeze]: **N.C. Gen. Stat. § 75-63** — "A consumer may place a security freeze on the consumer's credit report by making a request to a consumer reporting agency in accordance with this subsection." *N.C. Gen. Stat. § 75-63(a).* [^rights-7562-ssn]: **N.C. Gen. Stat. § 75-62** — "Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's social security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number." *N.C. Gen. Stat. § 75-62(a)(6).* [^rights-7566-publication]: **N.C. Gen. Stat. § 75-66** — "It shall be a violation of this section for any person to knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure." *N.C. Gen. Stat. § 75-66(a).* [^rights-7563-effect]: **N.C. Gen. Stat. § 75-63** — "A security freeze shall prohibit, subject to exceptions in subsection ( l ) of this section, the consumer reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer." *N.C. Gen. Stat. § 75-63(a).* [^rights-7563-free]: **N.C. Gen. Stat. § 75-63** — "A consumer reporting agency shall not charge a fee to put a security freeze in place, remove a freeze, or lift a freeze pursuant to subsection (d) or (j) of this section, provided that any such request is made electronically." *N.C. Gen. Stat. § 75-63(o).* [^rights-7561-protected-definition]: **N.C. Gen. Stat. § 75-61** — "An individual (i) who is under the age of 16 at the time a request for the placement of a security freeze is made pursuant to G.S. 75-63.1 or (ii) who is incapacitated or for whom a guardian or guardian ad litem has been appointed." *N.C. Gen. Stat. § 75-61(11a).* [^rights-75631-protected]: **N.C. Gen. Stat. § 75-63.1** — "A consumer reporting agency shall place a protected consumer security freeze on the protected consumer's credit report or on the protected consumer's file in accordance with subsection (b) of this section within 30 days of all of the following conditions being satisfied" *N.C. Gen. Stat. § 75-63.1(a).* [^rights-7566-remedy]: **N.C. Gen. Stat. § 75-66** — "Any person whose property or person is injured by reason of a violation of this section may sue for civil damages pursuant to the provisions of G.S. 1-539.2C." *N.C. Gen. Stat. § 75-66(e).* [^breach-7565-timing]: **N.C. Gen. Stat. § 75-65** — "The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system." *N.C. Gen. Stat. § 75-65(a).* [^breach-7561-definition]: **N.C. Gen. Stat. § 75-61** — "An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach." *N.C. Gen. Stat. § 75-61(14).* [^breach-7565-ag]: **N.C. Gen. Stat. § 75-65** — "In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice." *N.C. Gen. Stat. § 75-65(e1).* [^breach-7561-personal-info]: **N.C. Gen. Stat. § 75-61** — "A person's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b). Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records." *N.C. Gen. Stat. § 75-61(10).* [^breach-7565-exclusions]: **N.C. Gen. Stat. § 75-65** — "For the purposes of this section, personal information shall not include electronic identification numbers, email names or addresses, internet account numbers, internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources." *N.C. Gen. Stat. § 75-65(a).* [^breach-7561-encryption]: **N.C. Gen. Stat. § 75-61** — "The use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key." *N.C. Gen. Stat. § 75-61(8).* [^breach-7561-redaction]: **N.C. Gen. Stat. § 75-61** — "The rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number is accessible as part of the data." *N.C. Gen. Stat. § 75-61(13).* [^breach-7565-contents]: **N.C. Gen. Stat. § 75-65** — "The notice shall be clear and conspicuous. The notice shall include all of the following: (1) A description of the incident in general terms. (2) A description of the type of personal information that was subject to the unauthorized access and acquisition. (3) A description of the general acts of the business to protect the personal information from further unauthorized access. (4) A telephone number for the business that the person may call for further information and assistance, if one exists. (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports. (6) The toll-free numbers and addresses for the major consumer reporting agencies. (7) The toll-free numbers, addresses, and website addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft." *N.C. Gen. Stat. § 75-65(d).* [^breach-7565-substitute]: **N.C. Gen. Stat. § 75-65** — "Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons." *N.C. Gen. Stat. § 75-65(e)(4).* [^breach-7565-cra]: **N.C. Gen. Stat. § 75-65** — "In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice." *N.C. Gen. Stat. § 75-65(f).* [^breach-7565-per-se]: **N.C. Gen. Stat. § 75-65** — "A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation." *N.C. Gen. Stat. § 75-65(i).* [^enforce-7565-per-se]: **N.C. Gen. Stat. § 75-65** — "A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation." *N.C. Gen. Stat. § 75-65(i).* [^enforce-7516-treble]: **N.C. Gen. Stat. § 75-16** — "If any person shall be injured or the business of any person, firm or corporation shall be broken up, destroyed or injured by reason of any act or thing done by any other person, firm or corporation in violation of the provisions of this Chapter, such person, firm or corporation so injured shall have a right of action on account of such injury done, and if damages are assessed in such case judgment shall be rendered in favor of the plaintiff and against the defendant for treble the amount fixed by the verdict." *N.C. Gen. Stat. § 75-16.* [^enforce-7565-waiver]: **N.C. Gen. Stat. § 75-65** — "Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable." *N.C. Gen. Stat. § 75-65(g).* [^enforce-7511-udap]: **N.C. Gen. Stat. § 75-1.1** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are declared unlawful." *N.C. Gen. Stat. § 75-1.1(a).* [^enforce-7565-ag-report]: **N.C. Gen. Stat. § 75-65** — "In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice." *N.C. Gen. Stat. § 75-65(e1).* [^enforce-115c-ag]: **N.C. Gen. Stat. § 115C-401.2** — "The Attorney General, upon ascertaining that an operator has violated this section, may bring a civil action seeking injunctive and other equitable relief." *N.C. Gen. Stat. § 115C-401.2(g).*