North Carolina's Identity Theft Protection Act

On Sept. 21, 2005, Governor Easley signed SB 1048, the Identity Theft Protection Act of 2005, into law. This law is intended to help prevent ID theft in North Carolina. This white paper describes the law and how it will impact private businesses. Sage Information Security is not a law firm, and we cannot give legal advice. If you need legal advice, you should consult with a qualified attorney.

The Big Picture

This law requires businesses to protect information from and about their customers. It includes harsh financial penalties for companies that fail to meet these requirements. Businesses in North Carolina have a new legal obligation. Among other things, they are now required to have written policies and procedures in place to protect their customer information, including the destruction of records containing personal information. The majority of the act became effective December 1, 2005. Although there are specific provisions that do not become effective until 2006 and 2007, these provisions do not in general impact private industry.

Violations of this act will automatically qualify as Unfair or Deceptive Acts or Practices under Chapter 75 of the North Carolina General Statutes. Several parts of this law make provision for triple damages, but only if the business was negligent in training its staff, developing its policies and procedures, or willfully allowed the disclosure of personal information.

Social Security Number Protection

A key provision of this law is that businesses cannot disclose or make public an individual's social security number. This includes not using the SSN as a credit card number, password, or access code. SSNs cannot be used to access web sites unless a separate PIN or password is also used. SSNs should not be transmitted over the Internet unencrypted, or printed on mailed materials in such a way that the number could be visible to the public. Finally, Social Security numbers cannot be sold, loaned, leased, or otherwise shared with third parties without written consent from the individual.

There are some exceptions for business to the above rules. These include using the SSN on an application to amend or create a contract, or to verify a SSN on a credit report application. Businesses can use SSNs for internal verification or administrative purposes, for opening an account, or for provision of or payment for customer authorized services or products. Businesses can also use Social Security numbers to investigate or prevent fraud, conduct background checks, obtain credit reports from or furnish data to a consumer reporting agency, collect debts, or locate missing individuals.

The Security Freeze Provision

The law provides for a Security Freeze on credit reports. A security freeze prevents new creditors from accessing an individual's credit report without express authorization. The credit freeze provision specifically excludes ongoing relationships. One additional provision of this section is the specification of specific language regarding the consumer's rights whenever a customer is required to receive a summary of rights under section 609 of the Fair Credit Reporting Act.

The good new for the private sector is that this provision will have little impact on the operations of most businesses. Those businesses most affect will be those with heavy involvement with credit reports.

Destruction of Records

The section of this law that will affect many businesses is Section 75-64. It requires businesses to develop detailed written policies and procedures for the destruction of consumer information, and to ensure employees are fully trained in following these procedures.

All businesses that collect personal information from North Carolina residents must take "reasonable measures" to protect the confidentiality of that information during and after is disposal. What constitutes reasonable measures is specifically defined. There are two choices:

1) Burning, pulverizing, or shedding papers containing personal information so that the information cannot be practicably read or reconstructed

2) Use a commercial record destruction company, with due diligence to assure they will properly handle the documents

Three options are specified for due diligence applied to a record destruction company. The first is to review an independent audit of the company. The second is to obtain information about the company from several reliable sources, and requiring that the company be certified by a reputable third party. The third option is to review the disposal company's security policies and procedures to insure the competency and integrity of the business.

Treble damages are only applicable to the destruction of records if the business is shown to be negligent in the drafting of policies and procedures, or in the training for and monitoring of the implementation of those policies and procedures.

Protection From Breaches

If a business learns of a security breach that results in the disclosure of personal information, the business has an absolute duty to report the breach "without unreasonable delay" to anyone whose personal information may have been compromised. The specific content of the notification is contained in the statue. The notification may be delivered by letter, electronic mail, or telephone, but it must be designed to reach the affected individuals directly.

If more than 1000 persons are involved, the Consumer Protection Division of the Attorney General's Office, and all consumer reporting agencies must also be notified.

Redacted Public Filings

The Act specifies that all information filed with the Clerk of Court or the Register of Deeds must not contain identifying numbers such as social security numbers, driver's license numbers, bank account numbers, or credit card numbers. The numbers can be redacted, and the Act defines redaction in this context. Redaction means making data unreadable OR is truncated so that no more than the last four digits of an identification number are readable. Violations of this section are punishable by fines not to exceed $500 per violation.

This applies to all filings in Small Claims Court, lien filings, Deeds of Trust, or any court actions. It means that all attorneys and their clients must be extremely vigilant in handling all documents that may be filed with a Clerk or Register of Deeds.

References:

The text of the Act itself can be found at:

http://www.ncga.state.nc.us/Sessions/2005/Bills/Senate/HTML/S1048v6.html

Further interpretation from the legal firm Vann And Sheridan LLP can be found at:

http://www.vannattorneys.com/resources/id_theft_05.pdf

The North Carolina Attorney General's Office explains the Security Freeze here:

http://www.ncdoj.com/DocumentStreamerClient?directory=Publications&file=securityfreeze.pdf