LawSnap

Privacy Law And Technology

NC Suit Says Real Estate Co. Cyberattack Notice Took Months

Published March 26, 2026

Source law360.com open_in_new

Score

7

Why it matters

A purported class action lawsuit was filed in North Carolina's Business Court accusing an unnamed real estate company of a September 2025 cyberattack that compromised customer data, with the firm allegedly waiting months to notify affected individuals and failing to disclose the type of stolen information.[1][2][13] The plaintiff claims harm including lost time, annoyance, inconvenience, anxiety, and heightened identity theft concerns stemming from the delayed response.[2]

The key parties are the unnamed real estate company (defendant), an unidentified plaintiff representing a proposed class of customers, and North Carolina's Business Court handling the case.[1][2] No specific executives, agencies, or legislation are named in the suit, though it aligns with broader NC trends in data breach litigation under statutes like the Identity Theft Protection Act, which proposed overhauls emphasize timely notice (e.g., 15-day deadlines) and reasonable security measures.[6]

The breach occurred in September (likely around September 2-4, 2025, per similar incidents), with notifications issued months later, prompting the March 26, 2026 filing amid a pattern of NC class actions over delayed notices and weak controls in sectors like real estate and settlements.[1][2][5] This follows other 2025 breaches (e.g., Charlottesville Settlement Company exposing SSNs and financial data) and federal dismissals requiring concrete injury proof.[5][8]

Newsworthy due to rising data breach litigation in NC's Business Court, which handles complex tech cases like ransomware and phishing, spotlighting enforcement gaps as proposed laws aim to impose treble damages for violations and strict timelines amid frequent real estate sector vulnerabilities.[1][2][6][9] Filed just days ago (March 26, 2026), it underscores ongoing scrutiny of notification delays in a state with evolving cyber regulations.[1][2]

Sources

[1] https://www.law360.co.uk/amp/articles/2457520

[2] https://www.law360.com/classaction/articles/2457520/nc-suit-says-real-estate-co-cyberattack-notice-took-months-

[3] https://www.housingwire.com/articles/us-mortgage-breach-lawsuit/

[4] https://rcdlaw.net/n-c-business-court-opinions-february-14-2024-february-27-2024/

[5] https://www.classaction.org/data-breach-lawsuits/charlottesville-settlement-company-march-2026

[6] https://www.elliswinters.com/trade/proposed-overhaul-north-carolinas-data-breach-law-big-time-consequences/

[7] https://natlawreview.com/article/north-carolina-prohibits-public-sector-entities-paying-ransom-ransomware-cyberattack

[8] https://blogs.duanemorris.com/classactiondefense/2025/10/09/the-class-action-weekly-wire-episode-122-data-breach-class-action-dismissed-for-plaintiffs-failure-to-allege-concrete-injury/

[9] https://www.jdsupra.com/legalnews/data-breach-cases-require-some-8720509/

[10] https://www.jdsupra.com/topics/data-breach/complex-litigation/north-carolina/

[11] https://www.clarkhill.com/news-events/news/right-to-know-march-2026-vol-39/

[12] https://www.honeywelldatasettlement.com/pdf/Class-Action-Complaint.pdf

[13] https://www.secmentis.com/news/nc-suit-says-real-estate-co-cyber-attack-notice-took-months

[14] https://www.mondaq.com/unitedstates/personal-injury/1651938/north-carolina-federal-court-dismisses-data-breach-class-action-in-finding-bare-assertions-are-insufficient-to-confer-standing

[15] https://www.thelegaldescription.com/tld/articlestld.aspx?issueid=3610bd08-e6fa-f011-9197-ac1f6b9adf69

mail

Get notified about new Privacy developments

Primary sources. No fluff. Straight to your inbox.

Related

View all Privacy

See more entries tagged Privacy.