Amends the definition of security breach under the Identity Theft Protection Act (Act) to specify that any determination that illegal use has not occurred or is not reasonably likely to occur or that no material risk of harm is created must be documented and maintained for at least three years. Amends GS 75-65 (protection of security provisions) as follows. Deletes the notice provisions required after a breach under GS 75-65(a) and replaces those requirements with the following before-breach requirements and after-breach notifications: (1) the business must implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure; (2) provide notice to all persons affected by a security breach as soon as practicable, but not later than 45 days after discovery of the breach or reason to believe a breach has occurred in accordance with this section; and (3) provide notice to the Consumer Protection Division (CPD) of the Attorney General's Office that there has been a security breach as soon as practicable, but not later than 45 days after discovery of the breach or reason to believe a breach has occurred. Specifies that this information is not a public record under State public records law. Permits the CPD to request certain information.  Specifies that personal information does not include (1) electronic identification numbers or electronic mail names or addresses unless it includes any required security code, access code, or password that would allow access to an individual's financial account or resources or other personal information, as defined in this section, (2) internet identification names, (3) a parent's legal surname prior to marriage, or (4) a password, unless the business is aware that this information would permit access to a person's financial account or resources or other personal information, as defined in this section. Sets forth form of notice. 

Amends GS 75-65(c) to require a business send out the required notices within five days (currently, without unreasonable delay) after a law enforcement agency communicates to the business that it has determined that notice will no longer impede an investigation or impact national/homeland security.  Amends GS 75-65(e) to specify that electronic communications can only be provided to persons with whom a business regularly conducts electronic business, in addition to those who have agreed to receive email communications. Deletes the provision setting out requirements for when a business sends out a notice to more than 1,000 people at one time. Specifies that if a person/agency is in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), P.L. 104-191, as amended and with regulations promulgated under that act then the person is deemed to be in compliance with GS 75-65. Specifies that if the person/agency must provide notice under HIPAA, they must also send notice to CPD. Requires a consumer reporting agencies who experience a security breach to offer to provide appropriate identity theft prevention and mitigation services such as credit monitoring at no cost to the consumer for not less than 24 months. Specifies that the consumer reporting agency must provide the  consumer with information necessary to take advantage of the offer. Makes conforming changes.  Requires businesses that know or have reason to know that a security breach includes a person’s social security number to provide credit monitoring services at no cost to the affected persons for at least 24 months.  Prevents a consumer reporting agency from knowingly offering a paid product to prevent unauthorized access or restrict access to a consumer's credit unless, at the time of the transaction, the consumer reporting agency (1) notifies the consumer of the availability of obtaining a security freeze without charge and (2) provides information to the consumer on how to obtain a security freeze. Deletes definition of personal information under GS 75-66 and instead lists the specified exclusions from personal information specified above. 

Enacts new GS 75-67, pertaining to consumer report consent, which prevents a person from obtaining, using, or seeking the consumer report or credit score of a consumer in connection with an application for credit unless the user obtains the written, verbal, or electronic consent of the consumer.

Amends the term identifying information as used in the criminal definition of identity theft to include (1) health insurance policy number, subscriber identification number, or any  other unique identifier used by a health insurer or payer to identify the person; and (2) any information regarding the individual's medical history or condition, medical treatment or diagnosis, or genetic information, by a health care  professional, in addition to the other types of information listed.