North Carolina Identity Theft Protection Act (ITPA)
The North Carolina Identity Theft Protection Act (ITPA), codified at N.C. Gen. Stat. Chapter 75, Article 2A, mandates businesses, government agencies, and nonprofits to safeguard personal information, notify individuals of data breaches within 60 days, allow free credit freezes, and enables victims to sue for damages. Recent amendments (e.g., SB 711, 2025) extend liability to third-party vendors and impose stronger data disposal and ethics rules.
Table of Contents
What Is the ITPA and Why It Matters
Enacted in 2005 and updated through 2025, the ITPA was introduced to combat growing identity theft threats across North Carolina. With over 16 million residents affected by data breaches since 2019, the Act now covers:
- Breach notifications
- Social Security number restrictions
- Security freezes
- Third-party accountability
- Private rights of action and penalties
This guide combines statutory analysis, real-life case studies, step-by-step instructions, and compliance strategies for consumers and businesses alike.
Overview: Purpose, Scope & Key Definitions
Purpose of the ITPA
The ITPA’s mission is โto protect the personal information of North Carolina residents.โ It applies to all entitiesโprivate, public, and nonprofitโthat own or license electronic personal information.
What Is โPersonal Informationโ?
Defined under ยง 75-61, personal data includes any combination of:
- Full name plus one or more of the following:
- Social Security number (SSN)
- Driverโs license or state ID number
- Financial account numbers
- Biometric data
- Social Security number (SSN)
Also read: Best Identity Theft Protection Reports
Key Provisions & Statutory Requirements
1. Breach Notification Obligations (ยง 75-65)
Businesses must notify affected individuals:
- Within 60 days of breach discovery (or 45 days under House Bill 482, pending 2025)
- Methods: Mail, email, or phone
- Content: Date of breach, type of data exposed, steps for protection, contact details
Law enforcement exceptions apply if disclosure interferes with investigations.
Related articles:
Biggest Identity Theft Cases in History
Identity Theft Penalty Enhancement Act (ITPEA), What You Need to Know

2. Credit Freezes for Consumers (ยง 75-64)
Consumers may freeze or unfreeze their credit files at no cost by:
- Submitting requests via mail, phone, or online
- Contacting Equifax, Experian, and TransUnion
- Receiving confirmation and PIN/password within 10 business days
Minors and identity theft victims receive extra protections, including automatic freeze eligibility.
3. Social Security Number Restrictions
Businesses are prohibited from:
- Printing SSNs on mailed materials (except for legal obligations)
- Using SSNs for online authentication
- Publicly displaying SSNs
Exceptions apply for fraud detection, court orders, and internal verifications.
4. Secure Data Disposal
Physical records must be:
- Shredded, burned, or pulverized
Electronic records must be:
- Permanently destroyed or rendered unrecoverable
5. Third-Party Vendor Accountability (SB 711, 2025)
Vendors responsible for data breaches must:
- Reimburse state entities for breach-related costs and legal fees
- Be held financially liable under expanded private rights of action
Enforcement, Penalties & Legal Remedies
Civil and Criminal Penalties
- Victims may sue for:
- Actual damages
- Up to $5,000 per incident
- Treble damages for willful violations
- Attorneyโs fees (ยง 75-66)
- Actual damages
- Identity theft is a Class G felony, escalating to Class F if the victim is wrongfully arrested.
State Enforcement: NC Attorney General
- Over 6,500 breaches reported since 2019
- More than $2 million in civil penalties assessed
- Example: $250,000 fine against Acme Health for delayed notifications
Real Case: Smith v. DataSecure Inc. (2018)
A Durham woman was awarded $15,000 after her SSN was leaked online and the company failed to notify her within 60 days.
Compliance Checklist for Businesses
Technical Best Practices
- Encrypt all sensitive data using AES-256 and TLS 1.2+
- Restrict access via role-based permissions
- Maintain detailed audit trails for 3+ years (ยง 75-69)
Incident Response Planning
- Use breach notification templates and timelines
- Detection โ internal assessment (10 days) โ public notice (within 60 days)
- Detection โ internal assessment (10 days) โ public notice (within 60 days)
- Train staff on reporting and containment
Data Handling Policies
- Perform annual risk assessments
- Vet third-party vendors for compliance
- Train employees on record handling and SSN restrictions
Step-by-Step for Consumers: Protect Your Identity
1. How to Freeze Your Credit
- Submit request to Equifax, Experian, and TransUnion
- Provide:
- Full name and address
- SSN
- Proof of identity
- Full name and address
- Get PIN/password to manage freeze
2. What to Do After a Breach
- Place a 90-day fraud alert with credit bureaus
- File a police report
- Contact the business to request breach investigation
- Use a template dispute letter (available via NC DOJ)
3. Pursue Civil Action
- File in Superior Court
- Statute of limitations: 3 years from discovery
- Seek damages and attorneyโs fees
Recent Amendments & Future Trends
2025 Legislative Updates (SB 711 & HB 482)
- Third-party vendors now bear financial responsibility
- Ethics standards introduced for Registers of Deeds
- Notification window may be reduced from 60 to 45 days
- Encrypted storage for all sensitive data may soon be required
Growing Threats
- Rise of synthetic identity fraud and data broker leaks
- Calls for expanded regulation of AI-driven profiling and biometric data
FAQs
What is considered โpersonal informationโ under the ITPA?
Name plus SSN, driverโs license, financial account number, or biometric data (ยง 75-61).
Are nonprofits subject to the ITPA?
Yesโall entities operating in NC must comply, regardless of tax status.
Can I sue if a third-party vendor leaked my data?
Yesโespecially under the 2025 amendment (SB 711) if you suffered harm.
How soon must my credit freeze be activated?
Within 5 business days, with written confirmation in 10 days (ยง 75-64).
Can businesses share SSNs?
Only with written consent or for purposes like fraud prevention or legal orders.
Resources & Help
- ๐ NC DOJ Breach Reporting Portal
- ๐ IdentityTheft.gov โ Federal Recovery Assistance
- ๐ LexisNexis Freeze Guide
Conclusion: Take Control of Your Data
The North Carolina ITPA offers powerful toolsโbut protection begins with action. Whether you’re a consumer placing a credit freeze or a business refining your breach response plan, proactive compliance is your best defense.
Protect your identity. Enforce your rights. Strengthen your systems. If in doubt, consult a qualified attorney specializing in North Carolina consumer protection law.
About the Author

Sarah Klein, JD, is a former consumer rights attorney who spent years helping clients with issues like unfair billing, product disputes, and debt collection practices. At All About Lawyer, she simplifies consumer protection laws so readers can defend their rights and resolve problems with confidence.
Read more about Sarah