In the past several years, identity theft - both the problem itself and the public awareness of it - has increased steadily. As a result, the North Carolina General Assembly took steps to combat the problem by enacting the Identity Theft Protection Act of 2005. To achieve its goals, certain sections of the Act compel North Carolina businesses to take action to alleviate identity theft. Portions of these sections became effective on December 1, 2005, while others will take effect on October 1, 2006. The Act imposes significant legal restrictions and requirements on North Carolina businesses. If your business accumulates personal information, then it is critical that you understand the Act and comply with its mandates.

Who Must Comply With The Act

The Act applies to sole proprietorships, partnerships, corporations, associations, and other groups, including non-profits. The definition of "business" also includes banks and other financial institutions, unless they are subject to certain Federal regulations. The Act applies to entities located in North Carolina, as well as out-of-state entities that conduct business in North Carolina or maintain or possess personal information of North Carolina residents. The requirements of the Act may not be waived.

The three sections of the Act of greatest concern for businesses are: (1) social security number protection, (2) destruction of personal information records, and (3) protection from security breaches.

Protection of Social Security Numbers

The Act, subject to certain exceptions, prohibits a business from doing any of the following with a social security number ("SSNs"):

• making SSNs available to the general public;
• printing SSNs on any card required for individuals to access products or services;
• requiring individuals to transmit SSNs over the Internet, unless the business provides a secure connection or encryption of the SSNs;
• requiring individuals to use SSNs to access a website, unless a password or unique identification number or other authentication device also is required;
• printing SSNs on any materials mailed to individuals, unless required by state or federal law; and,
• disclosing SSNs to a third party without written consent, unless the third party needs the information for a legitimate purpose.

Businesses must make "reasonable efforts" to ensure that they implement the requirements of the Act. Unfortunately, the Act does not define what is reasonable. Consequently, until there is additional guidance on the Act, the safest practice may be to implement a compliance program as broad and far-reaching as possible.

A business that fails to comply with this section is deemed to have violated Section 75-1.1 of the North Carolina General Statutes, which prohibits unfair and deceptive trade practices and acts. A violation subjects a business to an enforcement action by the Attorney General's Office and a private right of action by the affected individual. The business may face civil penalties, damages, the possibility of those damages being trebled by the Court, and attorneys' fees.

This section will take effect on October 1, 2006.

Destruction of Personal Information Records

In addition to protecting SSNs, the Act also requires businesses to take "reasonable measures" to protect against unauthorized access to or use of personal information in connection with or after its disposal. Once again, the Act does not define what is reasonable. Personal information includes the following:

• a person's first name or first initial and last name in combination with other identifying information;
• SSNs;
• employer taxpayer identification numbers;
• driver's license, state identification card, or passport numbers;
• checking, savings, credit card, and debit card account numbers;
• PIN codes and passwords;
• electronic identification numbers, e-mail names or addresses, Internet account numbers, or Internet identification names;
• digital signatures, biometric data, and fingerprints; and,
• parent's legal surname prior to marriage ( i.e., mother's maiden name).

Disposal of personal information includes abandonment, sale, donation, or transfer of any medium containing personal information. Consequently, any business that abandons outdated computer equipment or sells or donates such equipment to charitable or other organizations must ensure beforehand that it properly removes all personal information. As to disposal, the following measures are mandatory:

• implementing and monitoring compliance with policies that require the burning, pulverizing, or shredding of papers and that require the destruction or erasure of electronic media and other non-paper media so that personal information cannot be read or reconstructed; and,
• describing these procedures as the official policy of the business.

A business may comply with the Act by hiring a third party engaged in the business of record destruction ("Contractor") to destroy personal information, but only after exercising due diligence, such as:

• reviewing an independent audit of the Contractor's operations or its compliance with the Act or its equivalent;
• obtaining information about the Contractor from several references or other reliable sources and requiring that the Contractor be certified by a recognized trade association or similar third party with a reputation for high standards of quality review; and/or,
• reviewing and evaluating the Contractor's information security policies or taking other appropriate measures to determine the competency and integrity of the Contractor.

This section does not apply to banks or financial institutions subject to and in compliance with the Gramm-Leach-Bliley Act, health insurers or health care facilities subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996, and consumer-reporting agencies subject to and in compliance with the Fair Credit Reporting Act.

A violation of this section subjects a business to an enforcement action by the Attorney General's Office and a claim for damages by any individual who is injured as a result of the violation. Unlike a violation of the SSN section, any damages assessed against a business because of the acts or omissions of its non-managerial employees relating to the disposal of records will not be trebled unless the business was negligent in the training, supervision, or monitoring of those employees.

This section took effect on December 1, 2005.

Protection from Security Breaches

If, despite best efforts, a business nevertheless suffers a security breach involving personal information, then the Act imposes additional duties on the business. First, the business must notify the affected individuals, unless a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national homeland security. Barring that exception, notice must be made without unreasonable delay, must be clear and conspicuous, and must provide the affected individuals with the following information:

• a general description of the security breach;
• the type of personal information involved;
• what the business is doing to protect the personal information from further unauthorized access;
• where to call for further information and assistance; and,
• advice that directs the affected individual to remain vigilant by reviewing account statements and monitoring free credit reports.

Substitute notice is available in certain circumstances, such as where the cost of providing notice would exceed $250,000 or more than 500,000 persons are affected, or there is insufficient information available to contact the affected individuals directly.

If a business provides notice to more than 1,000 affected individuals at one time, the business also must notify the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notice.

A violation of this section subjects a business to an enforcement action by the Attorney General's Office and a claim for damages by any individual who is injured as a result of the violation.

This section took effect on December 1, 2005.

Other Provisions

In addition to those discussed above, the Act includes other provisions to protect consumers. For example, as of December 1, 2005, no person preparing a document to be recorded or filed in the official records by a County Register of Deeds or of the courts may include personal information, unless otherwise expressly required by law or court order.

Conclusion

To avoid violations of the Identity Theft Protection Act, businesses must act now to determine what steps they must take, if any, to comply with its mandates. Ward and Smith, P.A. stands ready to assist you in this endeavor.

For further information and assistance, contact Paul A. Fanning or Lance P. Martin.