What Employers Need to Know about the North Carolina Identity Theft Protection Act


Practice Areas

Robinson Bradshaw Publication
June 2009

The North Carolina Identity Theft Protection Act requires businesses to guard the personal information of their customers and clients. Because personnel files likely contain identifying personal information, the ITPA also governs the maintenance and destruction of employee records. This article outlines the steps employers should take to ensure that their treatment of employee records complies with the ITPA.

Protecting social security numbers and “personal information”

Personnel records likely contain employees’ social security numbers, and the ITPA demands that employers treat them with care.

In addition to social security numbers, the ITPA protects against the publication of “personal information.” The act defines “personal information” as the combination of a person’s name with, among other things, that person’s drivers license number, digital signature, biometric data, or fingerprints. If you publish or broadcast any information about your employees, it is important to be sure that the information you disclose does not violate the ITPA.

Destroying personnel records

The obligation to protect personal information extends to taking reasonable measures to guard against unauthorized access to or use of that information after its disposal. These measures include the destruction of employee records (whether in paper or electronic form) such that personal information cannot be read or reconstructed. In addition, employers must maintain “as official policy in the writings of the business entity” a description of their policies and procedures relating to the proper disposal of personnel records in compliance with the ITPA.

The ITPA does authorize businesses to enter into contracts with document destruction specialists, but only “after due diligence.” This due diligence must include one or more of the following actions:

Dealing with security breaches

In addition to the general requirement that businesses make reasonable efforts to protect against a security breach, the ITPA requires businesses to take affirmative steps to notify employees whose personal information is at risk. Specifically, “immediately following the discovery of the breach,” an employer must give employees a “clear and conspicuous” notice containing the following information:

Consequences of noncompliance

The costs of violating the ITPA may be significant. For example, an employer could face a civil action in which damages will be tripled. In addition, the court may award a successful plaintiff its attorney’s fees. The attorney general also is empowered to institute a suit against a violating party, and the court may impose a civil penalty of $5,000 for each violation of the ITPA.

What steps should employers take to ensure compliance?

The threat of identity theft means we must be increasingly careful in the ways we use information about ourselves and others. Both individuals and business have a role to play in ensuring that personal information remains confidential. The requirements that the ITPA imposes on businesses are common to an array of state statutory schemes designed to protect citizens from identity theft. Because North Carolina’s ITPA has counterparts in other states, multistate employers must be mindful of the demands imposed by the laws of other states where they operate.

Related Materials:

Main Menu