What to Know About the NC Identity Theft Protection Act for K

November 21, 2025

Why North Carolina Schools Must Prioritize Student Data Protection

What to Know About the NC Identity Theft Protection Act for K–12 is critical for every school administrator, IT director, and educator in North Carolina. This state law mandates safeguards for student information, requiring schools and their vendors to implement specific security measures, prohibit harmful data practices, and notify families when breaches occur.

Quick Answer: Key Things to Know

The Act protects student personal information (PII) like Social Security numbers and biometric data.
Schools must securely dispose of records containing PII through shredding, burning, or digital erasure.
Security breaches require prompt notification to affected students and parents.
Ed-tech vendors are banned from targeted advertising, selling student data, or creating non-educational student profiles (HB632).
Schools must vet all ed-tech contracts for data security compliance.
Non-compliance can lead to legal action, fines, and loss of data access.

The 2024 PowerSchool contractor breach, which potentially exposed records of millions of NC students, underscored the urgency of these protections. Children's data is a prime target for cybercriminals because identity theft can go unnoticed for years, making compliance with the NC Identity Theft Protection Act a moral imperative.

The Act complements federal laws like FERPA by adding specific requirements for data disposal, breach notifications, and vendor conduct. For NC schools, understanding these rules is the foundation of student safety.

Understanding the NC Identity Theft Protection Act (Chapter 75, Article 2A)

The North Carolina Identity Theft Protection Act, found in Chapter 75, Article 2A of the General Statutes, is a comprehensive framework that applies to businesses, government agencies, and K-12 schools. It's particularly important for schools, which handle vast amounts of sensitive student data daily.

Image of a document with a magnifying glass over the text "Personal Information" - What to Know About the NC Identity Theft Protection Act for K–12

The Act sets clear rules for how organizations must handle, protect, and dispose of personal information. It also mandates rapid notification when breaches occur. For a full overview, see the North Carolina's Identity Theft Protection Act overview.

Defining and Protecting Student PII

Under the Act, "personal information" is a person's first name or initial and last name combined with other identifying details like a Social Security number (SSN), driver's license number, or financial account number with its access code.

The Act gives special status to children under 16, defining them as a "protected consumer." This is because child identity theft often goes undetected for years. In response, the NC Department of Public Instruction (NCDPI) replaced SSN-based systems with a Unique ID (UID) system for students and staff—a best practice for all schools.

Related statutes also prohibit collecting certain biometric data, political affiliations, and religious information in student data systems. For more on what constitutes sensitive data, see our article on Sensitive Data Definition and Types.

When disposing of records, schools must take "reasonable measures." For paper records, this means burning, pulverizing, or shredding. For electronic media, data must be destroyed or erased so it cannot be reconstructed. Simply deleting files or tossing papers in the recycling is a violation of the law.

Security Breach Notification Requirements

A security breach is the unauthorized access to unencrypted personal information where illegal use is likely. If a breach occurs, you must notify affected individuals "without unreasonable delay." The only exception is a temporary delay requested by law enforcement for an investigation.

The notification must be clear and conspicuous, explaining the incident, the type of information compromised, the school's response, and advice for families, such as monitoring credit reports. The 2024 PowerSchool breach highlighted the importance of these rapid notifications. You can review specific requirements in the full text of the Act.

Specific K-12 Provisions (HB632 & SB 815)

Two additional laws, House Bill 632 and Senate Bill 815, add K-12 specific protections.

HB632, the Student Online Privacy Protection Act, targets educational technology providers. It prohibits them from engaging in targeted advertising based on student data, building student profiles for non-educational purposes, or selling student data. It also requires them to implement reasonable security and delete student information within 45 days upon request from a school.

SB 815 mandated that the State Board of Education create a secure student data system with a comprehensive security plan. This law requires privacy policies compliant with FERPA, prohibits unauthorized data transfers, and mandates that vendor contracts include privacy and security safeguards with penalties for noncompliance. It also restricts the collection of biometric and lifestyle data.

Together, these laws create a comprehensive shield around student data, recognizing that children require special protections in the digital age.

What to Know About the NC Identity Theft Protection Act for K–12: Key Responsibilities

Protecting student data is a shared responsibility among school districts, IT directors, ed-tech vendors, and state agencies. Compliance with What to Know About the NC Identity Theft Protection Act for K–12 is a team effort, and failures can have devastating consequences.

Image of school administrators and IT staff collaborating around a computer - What to Know About the NC Identity Theft Protection Act for K–12

Responsibilities for K-12 Schools and Districts

As a school administrator or local education agency (LEA) employee, you are on the front lines of data protection. Key responsibilities include:

Implementing security plans: Develop a comprehensive plan that includes authentication systems, regular security audits, breach response procedures, and clear data retention/disposal policies.
Vetting ed-tech vendors: The 2024 PowerSchool breach showed that vendor vulnerabilities are your vulnerabilities. Thoroughly investigate a vendor's security protocols, data handling, and incident history before signing any contract. Our guide on K–12 Cybersecurity: Protecting Schools from Evolving Threats can help.
Managing contracts: All vendor contracts must include explicit privacy and security safeguards, along with penalties for noncompliance.
Staff training: All staff handling PII need regular training on data protection and cybersecurity threats. Human error is a major risk. Our guide on Cybersecurity Training: Empowering K–12 Staff Against Cyber Threats offers practical strategies.
Parental notification: Annually inform parents of their rights regarding student records, including the ability to opt out of directory information sharing.

Obligations for Educational Technology Providers

Ed-tech vendors serving NC schools must adhere to strict legal obligations under HB632. Key requirements include honoring data deletion requests within 45 days and implementing and maintaining reasonable security procedures appropriate for the data's sensitivity.

Most importantly, the law places strict use limitations on student data. Prohibited activities for ed-tech vendors include:

Engaging in targeted advertising based on student information.
Using student information to build profiles for non-educational purposes.
Selling or renting student data, except in very limited circumstances (e.g., a business merger or acquisition).
Disclosing student data outside the narrow exceptions defined in the statute.

Consequences of Non-Compliance

Ignoring the NC Identity Theft Protection Act carries significant costs.

Legal action: The Attorney General can bring civil actions for violations. Breaches of the broader Act are treated as Unfair and Deceptive Trade Practices.
Financial penalties: Violations can lead to misdemeanor charges and fines up to $25,000 for repeat offenders.
Loss of data access: Third-party contractors who violate the Act can be barred from accessing PII for up to five years.
Reputational damage: A data breach can destroy trust with parents and the community, leading to decreased enrollment and years of rebuilding confidence.

Compliance is about protecting children and maintaining the trust that makes education possible. To identify your school's vulnerabilities, consider requesting a free phishing audit to see how prepared your staff is.

How the NC Act Aligns with Federal Law (FERPA)

The Family Educational Rights and Privacy Act (FERPA) has been the cornerstone of student privacy since 1974. However, What to Know About the NC Identity Theft Protection Act for K–12 involves understanding that North Carolina has built additional layers of protection that work alongside FERPA to create a stronger shield for student data.

![TABLE] comparing the key features of the NC Identity Theft Protection Act and FERPA, including scope, protected information, primary focus, and enforcement - What to Know About the NC Identity Theft Protection Act for K–12 infographic ](https://images.bannerbear.com/direct/4mGpW3zwpg0ZK0AxQw/requests/000/115/532/958/0eb715rd3zL8jK1azBPpEmKay/540577c577beb05495a0ae0db23980dc11064a16.jpg)

Feature	FERPA (Federal)	NC Identity Theft Protection Act (State)
Primary Focus	Protects student privacy by controlling access to "education records."	Prevents identity theft by protecting "personal information."
Protected Info	Personally Identifiable Information (PII) within education records (grades, transcripts).	Broader PII, including SSNs, financial data, biometric info, and "covered information" from online services.
Vendor Rules	Requires vendors acting for schools to protect data using "reasonable methods."	Explicitly prohibits vendors from targeted advertising, selling data, or building non-educational profiles (HB632).
Breach Notice	General guidance on protecting data; breach notification is not its primary focus.	Mandates prompt, detailed notification to affected individuals and authorities.
Enforcement	Primarily through the U.S. Dept. of Education; potential loss of federal funding (rarely used).	NC Attorney General can take civil action; includes financial penalties, criminal charges, and loss of data access for vendors.

How the NC Act Complements FERPA

Think of FERPA as the foundation and North Carolina's laws as the reinforced walls. The NC Act has a broader scope, protecting any "personal information" that could lead to identity theft, even if it's not part of a formal "education record." It also imposes more specific business obligations on ed-tech vendors, explicitly banning practices like targeted advertising. The state law's identity theft focus leads to practical requirements for data disposal and special protections for minors. Finally, it mandates data security specifics, requiring schools to develop comprehensive security plans.

For more on the federal law, read All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.

Key Differences for K-12 Institutions to Understand

The laws work together, but their differences are key to full compliance. North Carolina's law protects a wider range of information types and has more detailed notification requirements in the event of a breach. The state's rules for application to vendors are far more explicit, making contracts easier to enforce. Finally, the enforcement mechanisms under state law are more varied and direct, including civil and criminal penalties. Understanding both sets of laws is essential for building a true culture of data protection.

Practical Steps for Compliance and Protecting Student Data

Understanding What to Know About the NC Identity Theft Protection Act for K–12 is the first step; putting that knowledge into practice is the next. Protecting student data is an ongoing commitment that requires a clear plan and a culture of cybersecurity awareness.

Image of a parent and teacher discussing a student's progress on a tablet - What to Know About the NC Identity Theft Protection Act for K–12

What School Administrators Can Do

As an administrator or IT director, you can turn compliance into meaningful action:

Develop a comprehensive data security and privacy plan. This roadmap should detail how PII is collected, stored, used, and destroyed, including access controls, audit schedules, and breach response procedures. Our Data Security and Privacy Plan resource can help.
Conduct regular risk assessments. Identify vulnerabilities before hackers do. A simple gap, like a contractor account without multi-factor authentication, can lead to a massive breach.
Vet ed-tech vendors rigorously. Ensure contracts include security safeguards and penalties for noncompliance. Ask tough questions about encryption, access, and breach response.
Invest in ongoing staff training. Everyone handling student data needs practical cybersecurity training to spot phishing and handle data properly. Learn more in our guide on Cybersecurity Training: Empowering K–12 Staff Against Cyber Threats.
Implement strong access controls. Limit PII access to only those who need it and enforce multi-factor authentication (MFA) for all accounts.

What Parents Should Know and Do

Parents are essential partners in protecting their child's data:

Know and use your rights. Under FERPA and NC law, you can inspect your child's records, request corrections, and control who sees their PII.
Ask your school about its data policies. Inquire about their security plan, how they vet apps, and what training staff receives.
Review ed-tech privacy policies. Before using a new app, check what data it collects and how it's used.
Consider a credit freeze for your child. As "protected consumers," you can place a security freeze on your child's credit report, a powerful tool against identity theft.

Why Cybersecurity Awareness is a Critical Part of the Solution

Even the best technical defenses can fail if a staff member clicks on a malicious link. Human error remains a leading cause of data breaches, making cybersecurity awareness essential.

Phishing attacks are increasingly sophisticated and are a primary vector for ransomware that targets schools. Building a security culture where everyone understands the basics, recognizes threats, and knows how to respond is critical. When your entire staff becomes a human firewall, you multiply your defenses. Our article on Phishing Awareness: Safeguarding K–12 Schools from Cyber Threats explains this threat in more detail.

This is why CyberNut's automated, gamified training is so effective for K-12 schools. It builds awareness that sticks. To see your school's vulnerabilities, request a free phishing audit and get a clear picture of your staff's readiness.

Conclusion

Understanding What to Know About the NC Identity Theft Protection Act for K–12 is not just about legal compliance—it's about safeguarding the futures of North Carolina's students. The PowerSchool breach was a stark reminder that children are prime targets for identity theft, and the consequences can last a lifetime.

The responsibility is shared. School administrators must implement robust security plans and train staff. Ed-tech providers must adhere to strict data use limitations. Parents must be active partners in overseeing their child's data. North Carolina's laws, working with FERPA, provide a strong framework, but it's our collective action that gives it power.

A proactive defense is always better than a reactive one. As threats like phishing and ransomware evolve, building a culture of cybersecurity awareness is essential. At CyberNut, we specialize in helping K-12 schools build that human firewall with automated, gamified training that engages staff and produces real results.

Ready to see where your vulnerabilities lie? Request a free phishing audit today to assess your staff's readiness against real-world threats. Then, explore our platform to see how CyberNut can strengthen your district's cybersecurity posture. Protecting our students is a shared journey, and we have the tools to help you succeed.