The North Carolina Identity Theft Protection Act of 2005 (the “Act”) impacts businesses across the country due to its application to any business possessing “personal information” of a North Carolina resident, whether or not the business is physically located in the State.  The Act also applies to financial institutions, although they are exempt from certain provisions of the Act because they are subject to similar requirements under federal laws including the Gramm-Leach-Bliley Act.  “Personal information” is defined as a person’s first name or first initial and last name in combination with any identifying information, such as a Social Security Number, employer identification number, driver’s license, passport, or state identification number, checking or savings account number, credit or debit card number, personal identification number, or any other number or information that can be used to access a person’s financial resources.  Businesses who fail to comply with the Act risk being sued for treble damages and an award of attorneys’ fees pursuant to North Carolina’s Unfair Trade Practices Act.  Knowing our aggressive consumer bar, this statute is likely to be vigorously enforced at the expense of unsuspecting businesses.  Affected businesses are subject to the following requirements: 

Protection of Social Security Numbers.  With limited exceptions, the Act prohibits a business from taking the following actions:

• Effective December 1, 2005: (a)  intentional public communication or disclosure of an individual’s Social Security Number; (b) intentional disclosure of an individual’s Social Security Number to a third party without the individual’s consent, when the third party lacks a legitimate purpose for obtaining the Social Security Number.

• Effective October 1, 2006: (a)  intentionally printing or imbedding an individual’s Social Security Number on any card required to access products or services; (b) requiring an individual to transmit his or her Social Security Number over the Internet without a secure connection or encryption; (c) requiring an individual to use his or her Social Security Number to access an Internet site, unless a password or other authentication device is also required; (d) printing an individual’s Social Security Number on any materials that are mailed to the individual, unless specifically required by state or federal law. 

Thus, every affected business should be reviewing its current policies and procedures and implement any changes necessary to come into compliance with the Act. 

Destruction of Personal Information Records.  With limited exceptions, the Act requires a business to take reasonable measures to protect against unauthorized access to or use of personal information in connection with or after its disposal by the business, including: 

• Implementing and monitoring compliance with policies and procedures requiring the destruction of papers containing personal information and the destruction or erasure of electronic media and other non-paper media containing personal information; and

• Drafting written procedures relating to the destruction and disposal of records containing personal information to be contained in the official business policy manual.

The Act expressly allows a business to outsource its records destruction needs pursuant to a written contract with a service provider; however, there are specific requirements for exercising due diligence in selecting such service providers.

Minimizing the Impact of Security Breaches.  The Act defines a “security breach” as an instance of unauthorized access to and acquisition of personal information of individuals where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to an individual.  In such instances, the Act requires businesses to give notice to all affected individuals, or the owner or licensee of the personal information.  In addition, it may be necessary to notify the North Carolina Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. 

Public Recording or Filing of Documents.  The Act prohibits any business or person from including any personal information in any document that is to be publicly filed or recorded.  This prohibition affects all real estate documents, and all documents filed in connection with litigation or other court proceedings.  Businesses should carefully review all documents that are to be filed to be sure that any personal information contained therein is redacted prior to filing.  For instance, it would be a violation of the Act to file a collection complaint with copies of the credit application or other documents attached that reveal the individual debtor’s social security, driver’s license, bank or credit card numbers.  While the application or other document can be filed, any personal information contained therein must be redacted first.

The Poyner & Spruill attorneys will work with you to conduct a compliance review of your company’s policies, procedures and practices that may be affected by the Act, and make recommended changes. 

If you are in need of additional details about the Act or have any  questions regarding this article, please contact Lisa Sumner at 919.783.2869 or lsumner@poynerspruill.com or Judy Thompson at 704.342.5299 or jthompson@poynerspruill.com.

This electronic publication is published by Poyner & Spruill LLP to provide general information about significant legal developments. Because the facts in each situation vary, the legal precedents noted herein may not be applicable to individual circumstances.