Durham Data Breach Notification - City Rules

Durham, North Carolina city agencies and contractors that handle city systems must follow the City of Durham's incident and information-security procedures when personal data is compromised. This guide summarizes the city's published response steps, whom to notify, enforcement pathways, and practical actions for IT staff, vendors, and privacy officers. It points to official City resources and state consumer protection guidance for breach notification and consumer remedies. Where the city's published pages do not state fines or timelines explicitly, this guide notes that the information is not specified on the cited page and links to the controlling official documents for confirmation.

Scope & When Notification Applies

City systems include any municipal servers, applications, or data held by City of Durham departments or by vendors under contract to the city that store personally identifiable information (PII) or protected health information. Notification obligations typically arise when an unauthorized access, acquisition, or exposure of PII creates a reasonable risk of harm to affected individuals.

• Responsible parties: City departments, contractors, and subcontractors holding city data.
• Trigger events: unauthorized access, ransomware incidents, or confirmed exfiltration of PII.
• Initial contact points: the City of Durham IT/Information Security team and the City Manager's Office; see the City policy link below for reporting details. City documents^[1]

Penalties & Enforcement

The City's published IT incident and information-security pages describe reporting, containment, and coordination steps but do not list specific monetary fines or civil penalties for data breaches on the cited page. Where municipal penalties are not published, state consumer-protection authorities or statutory remedies may apply; the relevant state guidance is linked below. NC consumer guidance^[2]

• Monetary fines: not specified on the cited city pages; see enforcement links for state guidance.^[2]
• Escalation: the city procedure emphasizes containment, forensics, and notification; specific escalation fines or per-day penalties are not specified on the cited page.
• Non-monetary sanctions: contract termination, corrective-action orders, audits, and possible referral to state authorities or law enforcement are described in practice but specific ordinance orders are not listed on the cited page.
• Enforcer and contact: City of Durham Information Technology / Information Security team and the City Manager's Office for incident reporting; complaints can also be directed to state consumer-protection offices.^[1]
• Appeals/review: the city's policy references internal review and legal counsel coordination; specific statutory appeal time limits are not specified on the cited page.

Applications & Forms

There is no published, centralized “breach notification form” on the City of Durham document pages; reporting is usually initiated by contacting the City IT/Information Security team as described in the city's incident response guidance. If a vendor contract requires a written notice, follow the contract procedure and send required notices to the City Attorney and City Manager's Office as directed in the contract.

Action Steps for City Staff and Vendors

• Immediately isolate affected systems and preserve logs and forensic evidence.
• Notify the City of Durham Information Security contact and the City Manager's Office per the published City reporting path.^[1]
• Document scope, data types affected, number of records, and timeline of the incident.
• Prepare notifications for affected individuals and coordinate with legal counsel and the City Attorney.
• Implement recommended mitigations and update contracts or system controls to prevent recurrence.

FAQ

Who must notify the City after a suspected breach?

Any City department, employee, contractor, or subcontractor that discovers a suspected breach must notify the City of Durham Information Security team and the City Manager's Office following the city's incident response instructions.

Are there preset fines for failing to notify?

The City's public incident pages do not list preset fines; monetary penalties are not specified on the cited city pages and may depend on contract terms or state enforcement.^[2]

Do affected residents get required written notice?

Notification to individuals is part of the City's response process; the exact format and timing are determined by the incident, legal counsel, and applicable state rules as guided by the City's procedures.

How-To

1. Confirm and contain: verify the incident, isolate systems, and preserve forensic evidence.
2. Report internally: contact the City of Durham Information Security team and the City Manager's Office immediately.
3. Assess scope: identify affected records, data types, and potential harm to individuals.
4. Notify stakeholders: coordinate notifications to individuals, contractors, and legal counsel as required.
5. Follow up: implement remediation, update policies, and document lessons learned.

Key Takeaways

• City of Durham requires prompt reporting of breaches to its Information Security and City Manager's offices.
• Specific monetary fines or per-day penalties are not published on the city's incident pages; check contracts and state law for remedies.

Help and Support / Resources

• City of Durham Document Center - policies and incident guidance
• City of Durham Information Technology services and contacts
• North Carolina Department of Justice - data breach guidance

1. [1] City of Durham Document Center - policies and incident guidance
2. [2] North Carolina Department of Justice - data breach guidance