Navigating the Digital Frontier: An In-Depth Look at North Carolina's Privacy and Cybersecurity Landscape

North Carolina stands at a critical juncture in the digital age, facing an ever-evolving landscape of cyber threats while simultaneously working to solidify its data privacy framework. From sophisticated ransomware attacks targeting vital sectors to legislative efforts aimed at safeguarding resident data, the state is demonstrating a comprehensive and proactive approach to securing its digital future. This article delves into the intricacies of North Carolina's cybersecurity challenges, its robust response mechanisms, and the foundational and emerging privacy regulations that define its commitment to digital resilience.

North Carolina's Evolving Cyber Threat Landscape

The scale and sophistication of cyberattacks in North Carolina are significant and rapidly increasing, impacting millions of residents and a wide array of organizations annually.

• Growing Impact: In 2022, organizations reported 1,900 data breaches to the North Carolina Department of Justice (NCDOJ), affecting over 3 million North Carolinians. This marked the second-highest number of people impacted in a single year, surpassed only by 2017 when the Equifax breach affected nearly 5 million residents. The trend intensified in 2024, with an unprecedented 2,258 incidents affecting approximately 6.7 million residents. Cumulatively, since 2005, 12,820 breaches have impacted over 24 million people. The Research Triangle Region alone has experienced a 600% increase in cybercrime since the COVID-19 pandemic.
• Predominant Attack Types: Hacking and phishing are the most common entry points for criminals, accounting for nearly 90% of all breaches in North Carolina in 2022. These methods are frequently used to deploy ransomware. Ransomware attacks themselves are skyrocketing, comprising 45% of all reported data breaches in 2022, with the NCDOJ receiving a record 857 ransomware-related notices, a trend projected to continue. Email-related breaches, including misdirected emails and unauthorized access via phishing, constituted over 29% of reported breaches in 2022. Other forms of attack include credential stuffing, W-2 phishing scams, data exfiltration, extortion, accidental release or display of information, lost/stolen equipment, data theft by employees or contractors, malware, and Denial of Service (DoS) attacks.
• Most Targeted Industries and Entities: While any individual or entity can be a target, certain sectors are more vulnerable. In 2022, general businesses (52%), financial services/insurance (20%), and healthcare entities (16%) reported the most breaches. Educational institutions (4%) and government agencies (3%) also experienced significant incidents.
  • Healthcare: Rural hospitals, often with outdated IT infrastructure, are prime targets, with attacks capable of disrupting patient care and compromising sensitive medical data.
  • Education: K-12 schools and universities have faced data breaches affecting students and staff.
  • Finance and Legal: These sectors handle vast amounts of sensitive client data, making them attractive for cyberattacks that can lead to substantial financial losses and legal liabilities.
  • Government: Local governments (cities, municipalities, counties, school administrative units, community colleges) are particularly vulnerable, reporting 18 out of 29 cyberattacks in 2021. State agencies, community colleges/universities, and critical infrastructure partners are also frequent targets.
  • Urban Hubs: Companies in Charlotte and Raleigh are increasingly targeted due to their growing prominence in key industries and thriving tech hubs, which expands the attack surface for businesses.
• Noteworthy Incidents:
  • The PowerSchool data breach in December 2024 compromised student and teacher information globally, including in North Carolina. "Threat actors" subsequently contacted North Carolina school districts in May 2025, demanding payment for the stolen data. PowerSchool reportedly paid a ransom after the initial breach, but the data was not destroyed and remains exposed. Stolen data included names, contact information, dates of birth, limited medical alert information, Social Security Numbers, and other related details.
  • Asheville Eye Associates disclosed a data breach in late January/early February 2025 that impacted 193,306 individuals. The DragonForce ransomware group claimed responsibility for stealing hundreds of gigabytes of data. Compromised information included names, addresses, medical treatment, and health insurance details.
  • In 2022, Attorney General Josh Stein secured settlements from Carnival Cruise Line ($1.25 million) over a 2019 data breach affecting 3,139 North Carolinians, Experian ($1 million) due to data theft, and was part of a $391.5 million multistate settlement with Google regarding location tracking practices.
  • Raleigh-based communications provider Bandwidth was hit by a cyberattack in late September, causing network outages and stock declines.

North Carolina's Legal and Regulatory Framework for Privacy and Cybersecurity

North Carolina's approach to data privacy and cybersecurity is built upon a foundation of state laws and agency oversight, supplemented by applicable federal regulations and forward-looking legislative proposals.

• Key Existing State Laws and Regulations:
  • North Carolina Identity Theft Protection Act (N.C. Gen. Stat. § 75-60): This foundational law mandates that businesses implement reasonable measures to protect Personal Identifying Information (PII) and establishes protocols for data breach notifications.
  • North Carolina Breach Notification Law (N.C. Gen. Stat. § 75-65): Businesses owning or licensing personal information of NC residents are required to notify affected individuals and the Attorney General within 45 days of discovering a security breach. The notice must be clear and conspicuous, describing the incident, types of data compromised, protective actions taken, contact information, and advice to remain vigilant. If over 1,000 people are affected, consumer reporting agencies must also be notified.
  • Local Government Reporting: Local government entities are legally required to report cyber incidents that meet specific criteria within 24 hours of confirmation, such as significant data loss, impact on many victims, or unauthorized access to critical IT systems.
  • North Carolina Electronic Commerce Act (N.C. Gen. Stat. § 66-311): This act validates e-signatures and requires security protocols for managing electronic records, facilitating digital transactions.
  • NCDOJ's Role in Data Breach Reporting: The NCDOJ's annual Data Breach Report underscores the state law requiring businesses and government agencies to report security breaches.
  • NCDIT's Office of Privacy and Data Protection: This office leads the state's privacy program, providing guidance, training, and support to agencies to embed privacy, data protection, and transparency. In 2022, North Carolina adopted the Fair Information Practice Principles (FIPPs) to reduce privacy risk and improve trust in government data handling.
• Applicable Federal Regulations: North Carolina businesses must also comply with federal laws, including:
  • Payment Card Industry Data Security Standard (PCI DSS): For credit card payments.
  • Health Insurance Portability and Accountability Act (HIPAA): For protected health information (PHI).
  • Gramm-Leach-Bliley Act (GLBA): For financial data.
  • Children’s Online Privacy Protection Act (COPPA): For data collected from children under 13.
  • Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Requires critical infrastructure businesses to report significant cyber incidents to CISA within 72 hours.
  • Other relevant federal acts include the Federal Trade Commission (FTC) Act (Section 5), Sarbanes-Oxley Act (SOX), Family Educational Rights and Privacy Act (FERPA), CAN-SPAM Act, and Defense Federal Acquisition Regulation Supplement (DFARS).
• Proposed Comprehensive Privacy Legislation (as of March 2025): While North Carolina has not yet enacted a comprehensive state data privacy law, two significant bills were introduced in March 2025 that, if passed, would significantly expand the privacy landscape:
  • North Carolina Personal Data Privacy Act (House Bill 462): Applies to entities processing personal data of at least 35,000 consumers (excluding payment transactions) or 10,000 consumers if over 20% of gross revenue comes from data sales. Defines "sale" broadly to include exchanges for monetary or other valuable consideration. Grants consumers rights like opting out of targeted advertising, data sales, or profiling for significant decisions. The Attorney General would have exclusive enforcement authority with a 60-day cure period for violations. If enacted, it would take effect on January 1, 2026.
  • North Carolina Consumer Privacy Act (Senate Bill 757): Applies to entities with annual revenue of $25 million or more, processing personal information of at least 25,000 NC residents and deriving over 50% of gross revenue from data sales, or processing information of at least 100,000 NC residents. Limits "sale" to exchanges for monetary consideration only. Grants consumers rights, including opting out of targeted advertising and data sales. The Attorney General would have exclusive enforcement authority with a 45-day cure period and civil penalties up to $7,500 per violation. It would also take effect on January 1, 2026.

North Carolina's "Whole-of-State" Response and Prevention Efforts

North Carolina has adopted a "whole-of-state" approach to cybersecurity, emphasizing collective defense, support, and collaboration across all levels of government and with private sector partners.

• N.C. Joint Cybersecurity Task Force (JCTF): This task force is a collaborative body comprised of law enforcement, emergency management, NC National Guard Cyber, the Local Government IT Strike Team, state IT/cyber specialists, and federal agencies. The JCTF provides incident coordination, resource support, and technical assistance, including on-scene response, damage assessment, mitigation, forensic analysis, and system rebuilding. It has supported more than 60 significant cybersecurity incidents since 2019, with 29 incidents in 2021 alone, impacting county/municipal governments, state agencies, community colleges/universities, and critical infrastructure. Governor Cooper formally recognized and established the JCTF in March 2022.
• Prohibition of Ransom Payments: North Carolina is the first state to prohibit state agencies, local governments, and public educational institutions from paying ransoms in response to ransomware attacks. This measure aims to eliminate financial incentives for cybercriminals. The law also directs public bodies to consult with NCDIT after an attack and empowers the State CIO to coordinate statewide responses.
• NC Information Sharing and Analysis Center (NC-ISAAC): This center provides a mechanism for raising cybersecurity readiness and response across state and local governments by receiving, vetting, and correlating information on vulnerabilities, threats, and cyber-related events, facilitating two-way information sharing.
• Cybersecurity and Privacy Committee of the IT Strategy Board: Composed of representatives from UNC System, state agency CISOs, NCLGISA, National Guard, and private organizations, this committee advocates for legislative policies, improves local government cybersecurity maturity, increases public education and awareness, and develops a workforce development framework.
• North Carolina Strategic Communication Interoperability Plan (SCIP): The SCIP, updated in January 2025, includes goals to prioritize physical and cybersecurity for communications ecosystem processes, pathways, and networks. It encourages adherence to security standards, training in cybersecurity best practices, and continuous assessments and improvements. The plan also addresses funding challenges for emergency communications technology and supports the sustainability of critical infrastructure like the VIPER system.
• Carolina Cyber Network (CCN): This is a comprehensive workforce development initiative that connects 23 two and four-year colleges and universities across North Carolina to meet the growing talent needs of public agencies and private businesses. CCN offers real-world internship and apprenticeship opportunities with NCDIT, aiming to fill the state's approximately 16,000 unfilled cybersecurity positions.
• Strategic Leadership: North Carolina's Chief Information Security Officer (CISO) Bernice Bond emphasizes a collaborative, "people-first mindset" and identifies "people, processes, and technology" as her "big three pillars" for information security. She stresses the importance of understanding user needs, fostering interagency connection, and educating end-users.

Key Regional Ecosystems and Innovation

The Research Triangle Park (RTP) is a central hub for technology, biotechnology, and pharmaceuticals, contributing significantly to North Carolina's cybersecurity innovation and workforce.

• Cybersecurity Hub: RTP is a top 5 cybersecurity market in the US, with 33,000 employees in the sector and a projected 35.8% job growth by 2028. Companies like IBM, LexisNexis, Microsoft, Red Hat, SAS Cybersecurity, and JupiterOne have significant operations here.
• Academic and Research Powerhouses: RTP benefits from its proximity to North Carolina State University (NCSU), Duke University, and the University of North Carolina at Chapel Hill. These universities offer extensive cybersecurity programs and house unique facilities:
  • NCSU's Secure Computing Institute (SCI): A focal point for cybersecurity research and education, uniting efforts across various departments. It includes the Science of Security Lablet (SoSL), Secure America Institute, and Wolfpack Security and Privacy Research (WSPR) Lab.
  • NC A&T University: Boasts several labs for cybersecurity education and research, including a Quantum Computing facility, a Cybersecurity Forensic Hub for Women, and a Student Run Security Operation Center.
• Innovation Ecosystem: RTP's collaborative ecosystem facilitates partnerships between private companies, government, and academic institutions, fostering innovation through incubators, accelerators, and networking events.

Emerging Technologies: AI and Quantum Resilience

North Carolina is also looking ahead to the impacts of emerging technologies on its cybersecurity posture.

• Artificial Intelligence (AI): While North Carolina has not enacted comprehensive state-specific AI laws, its CISO Bernice Bond views generative AI as a "friend" that, if implemented correctly, can complement existing processes. Importantly, proposed comprehensive privacy bills (HB 462 and SB 757) include provisions related to "profiling for decisions that produce legal or similarly significant effects concerning the consumer," implicitly addressing automated decision-making systems that often leverage AI.
• Quantum Computing: The state is proactively studying the security implications of advanced computational developments. The Cybersecurity and Quantum Resilience Study Commission (Senate Bill 562), introduced in March 2025, is tasked with investigating the potential impacts of emerging quantum computing technologies on state systems, legacy encryption, and critical infrastructure (including IoT and smart city initiatives). The commission will provide recommendations for legislative or administrative measures to enhance cybersecurity against future quantum threats.

Conclusion

North Carolina's digital landscape presents a complex mix of escalating cyber threats and a determined, multi-faceted response. The state's foundational privacy laws, combined with ambitious legislative proposals, aim to provide robust protection for personal data. Simultaneously, initiatives like the Joint Cybersecurity Task Force, the prohibition of ransom payments, and the Carolina Cyber Network underscore a "whole-of-state" approach to cybersecurity resilience and workforce development. With key innovation hubs like the Research Triangle leading in cybersecurity expertise and proactive studies into emerging technologies like AI and quantum computing, North Carolina is not only responding to current challenges but is also strategically positioning itself to address the digital threats of tomorrow. For businesses and individuals operating in the state, understanding this intricate framework is essential for achieving and maintaining compliance and security in an increasingly interconnected world.