North Carolina Identity Theft Laws

A practical guide to North Carolina’s identity theft rules, penalties, and consumer protections.

By Medha deb
Created on

North Carolina treats identity theft as a serious offense and also imposes separate privacy and breach-notification duties on businesses and institutions that handle personal information. The law reaches both the person who steals identifying information and the organizations that must protect it.

This article explains how the state defines identity theft, when the offense becomes more serious, what civil remedies are available, and how the Identity Theft Protection Act limits the handling of sensitive data.

What Counts as Identity Theft in North Carolina

Under North Carolina law, identity theft generally occurs when a person knowingly obtains, possesses, or uses another person’s identifying information with the intent to pretend to be that person for a financial transaction, to gain a benefit, or to avoid legal consequences.

The statute applies whether the victim is living or deceased. That means the law is not limited to classic credit-card fraud; it also covers conduct such as opening accounts, making purchases, or using someone else’s identity to escape responsibility for a crime or debt.

  • Knowingly obtaining another person’s identifying information
  • Possessing that information with criminal intent
  • Using the information to impersonate the victim
  • Seeking value, benefit, or advantage through the impersonation
  • Avoiding legal consequences by using another identity

North Carolina also makes it unlawful to sell, transfer, or purchase another person’s identifying information when the intent is to commit identity theft or help someone else do so.

What Information Is Protected

The statute uses a broad definition of identifying information. State materials and legal summaries describe this category as including information that can identify a person and can be used to impersonate them, such as a name paired with account numbers, government identifiers, and other personal data.

Examples of protected information Why it matters
Social Security number Can be used to open accounts, apply for credit, or bypass identity checks
Driver license number May be used to pass verification or create false records
Bank account information Can enable unauthorized transfers or purchases
Credit and financial account data Often used for fraudulent transactions or loans

The exact list of protected data is broader than a single example set, but the practical point is clear: North Carolina protects personal data that can be used to impersonate someone or access their money, credit, or records.

Criminal Penalties and Felony Levels

Identity theft is a felony in North Carolina. The ordinary offense is generally punished as a Class G felony.

The offense can become more serious in certain situations. Available legal summaries explain that identity theft may be punished as a Class F felony if the victim suffers arrest, detention, or conviction as a result of the offense, or if the defendant possesses identifying information for three or more separate people.

  • Class G felony for the basic offense
  • Class F felony in aggravating circumstances
  • Restitution may also be ordered to cover the victim’s losses

Sentencing in North Carolina depends on criminal history and other statutory factors, so the final punishment can vary even within the same felony class. In addition to incarceration, courts may order financial restitution to compensate the victim.

Related Crimes and Conduct

North Carolina law does not stop at direct use of another person’s identity. The statute also reaches conduct that supports identity theft, including the sale or transfer of another person’s identifying information when done with the intent to commit the crime or help another person commit it.

This matters because identity theft often involves more than a single act. A person may gather personal data, pass it along, or use it to create a chain of fraudulent activity. The statute is designed to cover both the final impersonation and the earlier steps that make the fraud possible.

Civil Remedies for Victims

North Carolina gives identity theft victims a separate civil remedy. According to state legal materials and practitioner summaries, a victim may sue the person responsible for damages, injunctive relief, and attorney’s fees in appropriate cases.

Damages may include the greater of three times actual damages or a statutory amount per unlawful act, subject to the amounts described in the civil statute. Victims may also seek an order stopping future identity theft-related conduct.

  • Money damages for losses caused by the misuse of identity
  • Enhanced damages tied to the statute’s formula
  • Injunctions to stop ongoing misconduct
  • Attorney’s fees in some cases

The civil claim has its own time limit. North Carolina materials indicate that suit generally must be filed within three years from the date the wrongdoer’s identity was discovered, or reasonably should have been discovered.

How the Identity Theft Protection Act Helps Prevent Harm

North Carolina also regulates how organizations collect, store, disclose, and dispose of personal information. The Identity Theft Protection Act places obligations on businesses and public institutions that maintain sensitive data, especially Social Security numbers and related personal identifying information.

These rules are preventive rather than punitive. Their purpose is to reduce the risk that data will be exposed, misused, or dumped without safeguards.

Limits on Social Security numbers

State guidance explains that businesses generally may not publicly print or unnecessarily disclose a person’s Social Security number, nor may they use it in ways that expose the number to others without authorization.

Common restrictions include limits on printing the full number on mailed material, placing it on cards used to access services, or transmitting it over the internet without encryption.

Data disposal and internal safeguards

The Act also requires reasonable measures to properly dispose of personal information so that it cannot be reconstructed or misused after disposal. Electronic media must be handled with similar care.

For organizations, this means privacy policies cannot exist only on paper. They must be implemented, monitored, and updated so that personal information is protected throughout its lifecycle.

Data Breach Notification Duties

When a security breach occurs, North Carolina law requires prompt notice to affected individuals in many circumstances. State materials describe notice as being provided without unreasonable delay, subject to law-enforcement needs.

The notice must be clear and conspicuous and delivered using the methods allowed by statute, such as written notice, telephone, or email, depending on the circumstances. When direct notice is impractical, substitute notice may be allowed.

  • Direct notice by approved methods when feasible
  • Substitute notice when large-scale or contact-based notice is not practical
  • Regulator notice in major breaches affecting many people

These requirements are important because the earlier a person learns of a breach, the sooner they can freeze accounts, change passwords, or monitor for misuse.

Practical Steps If You Suspect Identity Theft

People who think their information has been misused should act quickly. The North Carolina Department of Justice encourages consumers to protect their identity and report suspected fraud.

  • Review account activity for unauthorized transactions
  • Contact banks and creditors to dispute suspicious activity
  • Place fraud alerts or security freezes when needed
  • Save records of calls, emails, and letters
  • Report the incident to the proper state and federal agencies

Documentation matters because it can support disputes with lenders, help law enforcement, and strengthen a later civil claim if the fraud caused measurable losses.

Why the Law Matters for Businesses and Employers

Companies that handle customer, employee, or student data face legal exposure if they fail to safeguard information. The law creates compliance duties that can affect storage practices, vendor management, network security, and incident response.

For many organizations, the most important lesson is that identity protection is not limited to stopping a criminal outsider. It also includes limiting internal disclosure, minimizing unnecessary collection, and disposing of records safely.

Business duty Purpose
Restrict Social Security number disclosure Reduce exposure of highly sensitive identifiers
Use secure transmission methods Prevent interception of personal data
Dispose of records securely Lower the risk of post-use misuse
Notify after a breach Allow affected people to respond quickly

Noncompliance may lead to litigation, regulatory scrutiny, and reputational harm even when no criminal charge is filed.

Frequently Asked Questions

Is identity theft a misdemeanor in North Carolina?

No. North Carolina treats identity theft as a felony offense, not a misdemeanor.

Can someone be charged even if the victim is deceased?

Yes. The statute covers identifying information belonging to a person who is living or dead.

Does the law cover helping someone else commit identity theft?

Yes. The statute makes it unlawful to sell, transfer, or purchase identifying information with the intent to commit identity theft or assist in it.

Can a victim sue the offender?

Yes. North Carolina law allows civil claims for damages and injunctive relief, and attorney’s fees may be available in some cases.

What should a business do after a breach?

A business should investigate, contain the breach, and send required notices without unreasonable delay when the law requires notice.

Final Takeaways

North Carolina uses both criminal law and privacy regulation to fight identity-related harm. The criminal statute punishes fraudulent use of another person’s identifying information, while the Identity Theft Protection Act tells organizations how to handle sensitive data more carefully.

For individuals, the key protections are the ability to report misuse, pursue civil remedies, and receive notice after a breach when their information may have been exposed.

References

  1. North Carolina Criminal Law 14-113.20: Felony Identity Theft — Carolina Attorneys. n.d. https://www.carolinaattorneys.com/14-113-20-felony-identity-theft.html
  2. What is Identity Theft in North Carolina? — Harkey Litigation. n.d. https://harkeylitigation.com/identity-theft-north-carolina/
  3. North Carolina Identity Theft Protection Act — Smith Debnam. n.d. https://www.smithdebnamlaw.com/article/north-carolina-identity-theft-protection-act-the-importance-of-keeping-private-information-private/
  4. Chapter 75 – Article 2A — North Carolina General Assembly. n.d. https://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html
  5. Identity Theft Protection Act — East Carolina University, Office of Institutional Integrity. n.d. https://institutional-integrity.ecu.edu/itpa/
  6. G.S. 14-113.20, Identity Theft — North Carolina General Assembly. n.d. https://www.ncleg.gov/enactedlegislation/statutes/pdf/bysection/chapter_14/gs_14-113.20.pdf
  7. Security Breaches Under the NC Identity Theft Protection Act — University of North Carolina School of Government. n.d. https://www.sog.unc.edu/sites/default/files/course_materials/SecurityBreaches.pdf
  8. Protecting Your Identity — North Carolina Department of Justice. n.d. https://ncdoj.gov/protecting-consumers/protecting-your-identity/
Medha Deb is an editor with a master's degree in Applied Linguistics from the University of Hyderabad. She believes that her qualification has helped her develop a deep understanding of language and its application in various contexts.

Read full bio of medha deb