Compliance
A plain-English guide to North Carolina's data breach notification law for small businesses, including who must notify, what the notice must say, when to contact the Attorney General, and when consumer reporting agencies must be told.
If your small business owns or licenses North Carolina residents' personal information and that data is breached, you usually must notify affected people without unreasonable delay, notify the North Carolina Attorney General when you send those notices, and notify nationwide consumer reporting agencies if more than 1,000 people are affected at one time.
Sources: N.C. Gen. Stat. 75-65, N.C. Gen. Stat. 75-61, North Carolina DOJ security breach guidance
North Carolina's breach law is broader than many owners expect.
It applies to a business that owns or licenses personal information of North Carolina residents, and also to a business that conducts business in North Carolina and owns or licenses that information in any form, including paper records. If you are a service provider holding someone else's data, you have a separate duty to notify the owner or licensee immediately after discovery, subject to any valid law-enforcement delay.
This is not a "wait for the forensics report to be perfect" statute. The standard is without unreasonable delay.
The definition starts in G.S. 75-61.
North Carolina treats a security breach as unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information when illegal use has occurred, is reasonably likely to occur, or creates a material risk of harm. Encrypted data can still count if the key or process needed to unlock it was also compromised.
The law also carves out one practical exception: a good-faith acquisition by an employee or agent for a legitimate business purpose is not a reportable breach if the information is not misused or further disclosed.
That matters because many small businesses discover incidents through an employee mistake first. Not every mistake is a statutory breach. But once unauthorized acquisition and real risk are on the table, the notice duties move quickly.
The statute's definition is not "any customer data."
G.S. 75-61 defines personal information around a person's name combined with identifying information, and G.S. 75-65 adds an important clarification for notice purposes: email addresses, internet account names, and passwords are not automatically covered unless they would permit access to a person's financial account or resources.
For a small business, the practical question is simple: did the exposed data make identity theft, account takeover, or financial fraud materially easier?
If the answer may be yes, stop debating labels and start working the response.
There are really two tracks.
Under G.S. 75-65(a), that business must notify the affected person following discovery or notification of the breach. The notice must go out without unreasonable delay, while still allowing time to determine contact information, determine scope, and restore the integrity, security, and confidentiality of the system.
Under G.S. 75-65(b), a business that holds North Carolina residents' personal information for someone else must notify the owner or licensee of the information immediately following discovery of the breach, again subject to law-enforcement delay.
That is the part many MSPs, SaaS vendors, payroll processors, and outsourced back-office firms miss. If you are the custodian, you still have a breach-notice job to do.
Some states say 30 days, 45 days, or 60 days. North Carolina does not.
The statutory phrase is without unreasonable delay. That sounds flexible, but it is not a permission slip to stall. The law allows delay only for legitimate law-enforcement needs or for the practical work of determining who was affected, how broad the incident was, and how to restore the system.
In plain English: investigate fast, make the call, and move.
If you are waiting because nobody owns the incident, your legal clock problem is already operational.
G.S. 75-65(d) is specific. The notice must be clear and conspicuous and include:
This is one reason breach letters written in panic often fail. Owners focus on apology and forget the required consumer-help content.
North Carolina allows four notice methods:
Substitute notice is not the normal path. Under G.S. 75-65(e), it is reserved for situations where notice would cost more than $250,000, the affected class exceeds 500,000 people, or you lack sufficient contact information or consent.
If you use substitute notice, it must include:
This is the part many breach checklists leave out.
Under G.S. 75-65(e1), if you provide notice to an affected person under the statute, you must also notify the Consumer Protection Division of the Attorney General's Office without unreasonable delay. That notice must include:
So for most reportable North Carolina breaches, the state notice is not optional or only for huge incidents. It is part of the base workflow.
There is an added threshold in G.S. 75-65(f).
If you provide notice to more than 1,000 persons at one time, you must notify without unreasonable delay:
That notice must cover the timing, distribution, and content of the consumer notice.
This is separate from the regular Attorney General notice duty above. In practice, once the incident crosses 1,000 notices, you should treat regulator coordination as a dedicated workstream.
For a small business, the cleanest sequence is:
Disable compromised accounts, isolate affected systems, preserve logs, and stop the bleeding first. If the event looks like ransomware or active compromise, this sits beside the immediate-response discipline in what to do in the first 24 hours after a small-business ransomware scare.
Work from the legal definitions, not from gut feel. What data was involved? Was it unencrypted or was the key also exposed? Is illegal use reasonably likely or is there a material risk of harm?
If you are the data owner, your customer notice path starts. If you are a vendor holding someone else's data, your immediate owner-notification duty starts. Many incidents get delayed because nobody settles this distinction in the first few hours.
Draft the consumer notice with every required element. Draft the Attorney General submission in parallel, not later.
The breach letter is not the project. The project is the control gap behind it. North Carolina DOJ's breach guidance makes clear that the state reviews notices and may investigate whether reasonable safeguards were in place. That turns the post-incident control story into a business risk, not just a technical one.
The same control families discussed in what controls do cyber insurers require in 2026 usually show up here too: MFA, endpoint detection, backup integrity, patching, and funds-transfer verification.
The pattern is usually not exotic.
North Carolina gives room for scope determination. It does not reward paralysis.
If your payroll processor, IT provider, ecommerce platform, or marketing stack was involved, the contract matters. It does not replace your own notice obligations.
If the letter omits the statutory content, you have created a second problem.
This is probably the most common process miss for smaller firms without counsel or incident-response muscle.
We are not your lawyer, and this article is not legal advice.
Where we fit is the technical side of getting you from breach discovery to defensible facts: containment, log preservation, endpoint visibility, identity compromise review, and evidence of what actually happened. If your incident exposed how thin your control set is, the operational follow-on is usually some mix of managed detection and response, managed ITDR, and a tighter renewal posture before the next insurance application or claim discussion. Our cyber insurance readiness work often starts exactly there.
No. G.S. 75-65 uses a without-unreasonable-delay standard rather than a fixed number of days.
Usually yes, if you are providing notice to affected people under G.S. 75-65. The statute's Attorney General notice duty is not limited only to mega-breaches.
When you provide notice to more than 1,000 people at one time. That triggers notice to nationwide consumer reporting agencies under G.S. 75-65(f).
You still may have a statutory duty. Under G.S. 75-65(b), a custodian that does not own or license the information must notify the owner or licensee immediately following discovery, subject to law-enforcement delay.
Yes, but only if you have a valid email address and the person agreed to receive communications electronically. Otherwise use one of the other methods allowed by the statute.
Last updated
June 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
No fixed day count appears in G.S. 75-65. The law requires notice without unreasonable delay, while allowing time to determine contact information, scope, and restore the integrity, security, and confidentiality of the system.
Yes. If the business provides notice to affected people under G.S. 75-65, it must also notify the Consumer Protection Division of the Attorney General's Office without unreasonable delay.
If the business gives notice to more than 1,000 people at one time, G.S. 75-65 requires notice without unreasonable delay to the Attorney General's Office and nationwide consumer reporting agencies.
Yes. A business that maintains or possesses personal information it does not own or license must notify the owner or licensee immediately following discovery of the breach, subject to law-enforcement delay.
Substitute notice is allowed if notice cost would exceed $250,000, the affected class exceeds 500,000 people, or contact information or consent is missing. It must include email notice when available, website posting, and notice to major statewide media.
Related reading
A plain-English CMMC guide for small defense contractors covering what Level 2 means in 2026, what actually drives cost, how the rollout works, and the steps to get ready.
Read articleA plain-English guide for defense contractors on how the NIST SP 800-171 self-assessment score works, what SPRS actually stores, and how to close the gaps that keep the score low.
Read articleA plain-English PCI DSS 4.0.1 guide for small merchants covering how to choose the right SAQ, what changed in the v4.0.1 SAQ set, and where merchants usually scope themselves wrong.
Read article