The N.C. Identity Theft Protection Act in the Age of Phishing



Practice Areas

Gregory L. Skidmore and Devon C. Sherrell
Robinson Bradshaw Publication
July 7, 2017

Phishing and ransomware attacks on businesses and enterprises remain on the rise. In this environment, businesses need to understand how the North Carolina Identity Theft Protection Act impacts the requirements and obligations of employers to protect their employees’ and clients’ personal information in electronic files. The ITPA (N.C.G.S.A. § 75-60, et seq.) requires businesses to take active steps in safeguarding this information and to maintain and destroy employee records in secure and effective ways.

Common Types of Phishing Scams and Ransomware Attacks and How They Impact Employees’ Personal Information

Cybercriminals have begun targeting human resources departments by infecting computers with ransomware through phishing scams. Some of the most popular methods of phishing include:

Relation Between Ransomware/Phishing Scams and North Carolina Law

The ITPA requires that businesses treat human resources files, like personnel records, with particular care because they typically contain an employee’s social security number and other personal information. Such information could include the employee’s name matched with his or her driver’s license number, bank account and credit card numbers, digital signatures and passwords, biometric data and fingerprints, and familial information like a parent’s legal surname prior to marriage. The ITPA requires that businesses take reasonable measures to protect against unauthorized access to or use of this personal information.

Because phishing scams and ransomware infections give cybercriminals unauthorized access to personnel files, it is important for businesses to take active steps in improving cybersecurity and reducing the business’s exposure to phishing and ransomware risks to avoid violating the ITPA.

How to Protect Files from Phishing Scams and Ransomware Attacks

Employers should tale a variety of steps to protect themselves – and their employees – from both the effects of these types of scams and the potential legal repercussions under the ITPA. Examples of such steps include:   

What to do if You Have Been Subjected to a Phishing or Ransomware Attack

The ITPA requires that businesses notify affected persons of a security breach following discovery of the breach. This notification must occur “without reasonable delay” and must include:

For more information regarding the ITPA or how to respond to issues arising from phishing or ransomware attacks, please contact a member of Robinson Bradshaw’s Employment and Labor Practice Group.

This article was prepared with the assistance of Devon Sherrell, a rising 2L at Emory University School of Law.

[1] See David Bisson, 6 Common Phishing Attacks and How to Protect Against Them, Tripwire: The State of Security (June 5, 2016),

[2] See Hackers Are Preying on Human Resources Departments, Arctic Wolf (July 6, 2016),

[3] Bisson, supra note 1.

[4] Arctic Wolf, supra note 2.

[5] Bisson, supra note 1.

[6] Ransomware, Microsoft: Malware Protection Center, (last visited May 19, 2017).

[7] Microsoft, supra note 6.

Main Menu