A Business Guide to North Carolina’s Identity Theft Protection Act

Like many other states, North Carolina has enacted a data breach notification law in an effort to help protect its citizens from identity theft due to the disclosure of personally identifiable by private enterprises.  Passed in 2005, the Identity Theft Protection Act (ITPA) sets out guidelines that companies must follow for the proper use, protection, and destruction of personal information.  It also outlines the steps a business must take to notify its customers, business partners and possibly the state government in the event of a breach of personal information.  If you operate a business in North Carolina and maintain personal information, whether in digital or paper form, please read on to ensure you are familiar with the law.

The law defines personal information as either a first name or first initial and a last name in combination with any of the following:

  • Social security or employer taxpayer identification numbers
  • Drivers license, state identification card or passport numbers
  • Checking account numbers
  • Savings account numbers
  • Credit card numbers
  • Debit card numbers
  • Personal Identification (PIN) Code
  • Digital signatures
  • Any other numbers or information that can be used to access a person’s financial resources
  • Biometric data
  • Fingerprints
  • Passwords

If a business stores this information in either digital or paper form, it is required to abide by the following rules in the case of unauthorized access:

  • In the case of a breach of personal information in which the business owns or licenses the information, the business must notify each person affected “without reasonable delay”.
  • In the case of a breach of personal information in which the business does not own or license the information, the business must notify the owner or licensee “immediately following discovery of the breach”.
  • The notice must include information about the breach, the type of information that was disclosed, acts taken by the business to prevent further unauthorized access and a phone number that the customer can call for assistance.
  • The notice may be written, telephonic or electronic under certain circumstances.
  • If more than 1000 notifications are made the business must also notify the Consumer Potection Division of the state Attorney General’s office.

Additionally, businesses must take the following safeguards regarding the disposal of personal information:

  • Implement policies and procedures to ensure the physical destruction of paper documents that contain personal information.
  • Implement policies and procedures to ensure the physical destruction or permanent erasure of electronic media that contain personal information.
  • Develop an official policy regarding the disposal of personal records.
  • Perform due diligence when contracting with a disposal company to ensure that they take adequate measures to properly destroy paper and/or electronic media containing personal information.

Finally, any business operating in North Carolina may not do any of the following:

  • Intentionally make known or publish to the general public an individual’s SSN.
  • Intentionally print an individual’s SSN on any card required for the individual to access products or services.
  • Require an individual to transmit their SSN over the Internet without a secure, encrypted connection.
  • Require the use of an SSN for authentication to a web site without the use of a password or PIN as well.
  • Print an individual’s SSN on any materials mailed to the individual unless required by state or federal law.
  • Sell, lease, loan, trade or otherwise disclose an individual’s SSN to a third party without written consent from the individual if it is known or should be known that the third party has no legitimate need for the information.

Businesses that violate the North Carolina IPTA can be subjected to lawsuits under North Carolina’s Unfair and Deceptive Trade Practices Act.  This, combined with the cost of notifying customers and potential loss of business due to loss of credibility, should be a wake-up call to take action to ensure your business is in compliance with this law.  Below is a list of recommendations that every North Carolina business handling personal information should undertake in order to ensure compliance:

  • Conduct an internal audit to determine the amount and type of personal information that is collected and stored as part of your business processes.  If this personal information is not required for business purposes, discontinue using it and dispose of it securely.
  • Ensure that personal data necessary for business purposes is stored securely and is only accessible to those who need to access it in order to perform their job duties.  Be sure to include your own employees’ data as this often contains personal information covered by the ITPA.
  • Develop policies and procedures for the secure collection, usage, storage and disposal of personal information.
  • Enact a training program for all employees to ensure that they are aware of the company’s policies and procedures for handling personal data.  A business can be held liable if a non-managerial employee breaks the law and he or she was not properly trained, supervised or monitored.
  • Develop an incidence response plan to address the unauthorized disclosure of personal data.  The plan should include determining the source of breach, corrective actions, mitigation plans and proper notification of those affected.

North Carolina’s ITPA is a positive step to help protect consumers from the very real threat of identity theft.  It requires businesses to take practical steps to safeguard this information and it ensures that consumers will be notified if their personal information is breached so that they can take appropriate action to protect themselves.  As a business owner, it is best to go even further than the requirements of the ITPA.  There are many other controls and safeguards that can and should be implemented to help reduce the likelihood that you may one day have to notify your customers that their personal information was disclosed due to your negligence.

No Responses to “A Business Guide to North Carolina’s Identity Theft Protection Act”


  1. WCPSS Student SSN Disclosure | InfoSecStuff - [...] North Carolina, like most states, has a data breach notification law which I have written about previously.  This law…