Legal policies and implications are critical for cybersecurity enforcement because they provide a framework for ensuring organizations comply with established security standards and practices. These policies set clear rules for how data should be handled, protected, and responded to in the event of a breach, and they outline the consequences for non-compliance. Effective legal frameworks help deter cybercrime by creating accountability for malicious actors and organizations that fail to meet required security measures. North Carolina enforces several legal guidelines in regard to cybersecurity that must be followed by PSUs and other North Carolina entities. This document outlines some of the major policies and how they may relate to PSUs.

North Carolina Security Breach Definition

N.C. General Statute 75-61(14) currently defines “security breach” as the unauthorized release of unencrypted or unredacted records or data containing personal information with corresponding name, such as a person’s first initial and last name.

• Typically breach counsel will want to notify everyone contained within any impacted systems under the premise that the threat actor could have viewed their information, but NC law specifics “release” not “view”, which is legally significant.
• Our courts use the standard of “Plain and Common” language to interpret laws and determine meaning of words. The “plain and common” language definition of “release” is “to free from its containment” or “to make available to the public.” If there is not evidence of data exfiltration, then it is presumed that there is no legal requirement under NC law to provide notice to anyone whose personal information is housed within your systems.
• If there is data contained within systems about individuals residing outside of NC, then their state laws will govern the definition of breach as well as PII.

Personally Identifiable Information (PII) Examples

• Individual’s Social Security number (SSN)
• Employer taxpayer identification number (TIN)
• Driver’s license or state identification number
• Passport number
• Checking/saving account number
• Credit/debit card number, PIN, digital signature, biometric data, fingerprints or any number that can be used to access financial resources
• Individual’s email name or address, Internet account number, Internet username or password may be considered a breach only if it would permit someone to access financial accounts or resources
• Personal information does not include directories available to the public

Incident Reporting

In accordance with Section 143B-1379 of the General Statutes of North Carolina, all cybersecurity related incidents impacting government entities must be reported to the NCDIT within 24 hours of event confirmation. Incidents include but are not limited to:

• Malware
• (Distributed) Denial of Service – DDoS/DoS
• Ransomware

Student Data Security & Privacy

As defined in Section 115C Article 29 of the General Statutes of North Carolina, student records are not to be disclosed and are to be protected, maintained, and recorded in confidence. Both personally identifiable information (PII) such as names, addresses, and other unique identifiers and aggregate data collected from designated groups of students is required to be secured appropriately. Parent/Guardian figures of students are required to be notified regarding the rights of student records, as well as any incidents that have potentially compromised student information.

Joint Cybersecurity Task Force (JCTF)

In North Carolina Governor Ray Cooper’s Executive Order No. 254, the North Carolina Joint Cybersecurity Task Force (NCJCTF) was established with the goal of providing “crucial services to North Carolina in preventing and responding to cybersecurity breaches and attacks” in March of 2022. With increased threats originating from the Russia/Ukraine global events, the essential to protect the sixteen Critical Infrastructure Sectors defined by Presidential Policy Derivative 21 became apparent to further support the inception of the Task Force.

Cybersecurity Exception to Public Information Requests

Dictated in Section 132-6.1 of the General Statutes of North Carolina, all information shared in relation to sensitive security information is protected and not for public disclosure. This information will only be used to help with information sharing and threat intelligence capabilities.

Ransomware Payments

According to Section 143-800 of the General Statutes of North Carolina “No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.”  

A local government entity is defined as a political subdivision of the state, including, but not limited to, a city, country, community college, or local school administrative unit as dictated in G.S. 115C-5.

Incidents and events must be reported to the Department of Information Technology (DIT) in accordance with G.S. 143B-1379 to further handle the situation. Information shared through this process will be protected from public disclosure under G.S. 132-6.1(c).

Significant Cybersecurity Incident

A cybersecurity incident that is likely to result in demonstrable harm, to the State’s security interest, economy, critical infrastructure, or to the public confidence, civil liberties, or public health and safety of the residents of North Carolina.

The following factors determine if an incident is significant:

• Incident meets the threshold identified by the Department of Information Technology jointly with the Department of Public Safety that involve information
  • That is not releasable to the public and that is restricted or highly restricted according to Statewide Data Classification and Handling Policy
  • Involves the exfiltration, modification, deletion, or unauthorized access or lack of availability to information or systems within certain parameters that include
    • A specific threshold of numbers of records or users affected as defined in G.S. 75-65 
    • Any additional data types with required security controls
• Incidents that involve information that is not recoverable or cannot be recovered within defined timelines required to meet operational commitments defined jointly by the state agency and the Department or can be recovered only though additional measure and has a high or medium functional impact to the mission of an agency.

Notice Requirements

Once a breach is identified, contact must be made without delay unless law enforcement requests said delay. These contacts must include:

• General description of the security breach incident
• Type of personal information breached
• General description of your efforts to avoid further unauthorized access to personal information
• Telephone number where people can call for more information and assistance, if one exists
• Advice for people who are affected (security freeze, credit monitoring, etc)
• Contact information for the major consumer reporting agencies, the Federal Trade Commission and the North Carolina Attorney General’s office

These notices can be mailed, emailed if a valid email address is available and electronic communications are agreed to by both parties, or telephone. A substitute notice, such as a website post, mass email, or media notice, may be given if:

• The cost of providing the notice exceeds $250,000
• The number of affected persons is greater than 500,000 individuals
• The organization does not have the contact information to notify all individuals in another way

Citations & Resources

• Key NC Cybersecurity Legislation
• Shannon Tuffs – Cybersecurity: NC and Federal Laws Related to Cyber Incidents
• North Carolina Department of Information Technology (DIT) – Privacy Laws, Policies, and Guidance