Matthew Lewis, Attorney at Law
Each day, your business likely handles, transmits, and stores a wide range of sensitive personal information (“PI”) belonging to third-parties. This sensitive PI may come in the form of credit card numbers or debit card numbers from your customers. Or it may come in the form of social security numbers or direct deposit bank account information from your employees.
No matter the source though, if your business operates in North Carolina, or if your business possesses PI belonging to North Carolina residents, then your business is likely subject to, and legally obligated to comply with, the North Carolina Identify Theft Protection Act (the “ITPA”). If your business fails to comply with the legal obligations of the ITPA, you may find your business facing stiff civil fines and costly lawsuits.
So, what is the ITPA and who does it apply to? What kind of information does it regulate and what does it require of your business? And, just as importantly, what penalties might your business face if it fails to comply with the ITPA’s requirements?
Let’s take a closer look at some of these questions.
What is the ITPA?
To begin with, the ITPA regulates and places limitations on how your business may use, disclose, and dispose of certain forms of third-party PI. The ITPA also lays out very specific notification requirements that your business must comply with if PI in its possession is affected by a data breach.
Does the ITPA apply to your business?
The ITPA applies to all businesses operating in North Carolina, whether for-profit or non-profit, and regardless of entity type. The ITPA also applies to businesses operating outside of North Carolina, if those businesses are in possession of PI belonging to North Carolina residents. There are a small number of exemptions that apply to businesses operating in certain industries or sectors (primarily ones governed by more comprehensive federal regulatory frameworks). However, if your business operates in North Carolina and does not fall into one of the specifically exempted sub-groups, your business is very likely obligated to comply with the ITPA.
What kinds of information is covered by the ITPA?
The ITPA applies to “personal information,” which it statutorily defines as including “[a] person’s first name or first initial and last name in combination with [any of the following] identifying information”:
- Social security or employer taxpayer identification numbers.
- Drivers license, State identification card, or passport numbers.
- Checking account numbers.
- Savings account numbers.
- Credit card numbers.
- Debit card numbers.
- Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).
- Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.
- Digital signatures.
- Any other numbers or information that can be used to access a person’s financial resources.
- Biometric data.
- Parent’s legal surname prior to marriage.
Because of the breadth of information that is potentially subject to ITPA oversight, if you operate a North Carolina business, it is important to determine whether your business is handling, storing, or otherwise in possession of ITPA-covered PI. If it is, you need to ensure your business is taking appropriate steps to manage that PI in compliance with the ITPA.
What are your businesses legal obligations under the ITPA?
The ITPA includes multiple sections and subsections, each applying to a different aspect of PI use and/or PI security obligations. Some sections only apply to certain forms of PI. Others only apply to certain industries or economic actors. However, despite the variation, there are certain sections of the ITPA that apply to a broad majority of businesses, leaving a good chance it will apply to your business.
For example, § 75-62 of the ITPA applies almost universally to all North Carolina businesses and places a wide range of restrictions on how businesses may use, transmit, or disclose third-party social security numbers in their possession. It also requires businesses to “make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of [the ITPA] are implemented.”
Some sections of the ITPA require businesses to develop specific information security-related policies and then abide by and monitor compliance with those policies. For example, § 75-64 of the ITPA requires most North Carolina businesses to “take reasonable measures to protect against unauthorized access to or use of [personal information] in connection with or after its disposal.” These “reasonable measures” must include:
- “Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed.”
- “Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed.” and
- “Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.”
If your business does not have these policies and procedures in place, or does not monitor compliance, your business may already be in violation of the ITPA.
Another major obligation imposed on many businesses by the ITPA comes from § 75-65, which requires a business to notify third-parties “of any security breach [affecting their personal data] immediately following discovery of the breach.” The ITPA defines a “security breach” as either “[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information…that creates a material risk of harm to a consumer” or “[a]n incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key [for decryption].” § 75-65 goes on to lay out the requirements for notification following such a security breach, including the parties who must be notified, required contents of the notification, how the notification may be delivered, and specific circumstances that may trigger additional notification requirements related to State agencies.
As is likely clear by now, the legal obligations created by the ITPA are numerous, multifaceted, and often require that specific actions be taken by a business to come into and remain in compliance.
What are the potential penalties for non-compliance with the ITPA?
A violation of the ITPA is considered a violation of NCGS § 75-1.1, which governs unfair and deceptive trade practices in North Carolina. Accordingly, if your business fails to comply with its legal obligations under the ITPA, it may be civilly fined by the State of North Carolina at a rate of $5,000 per violation. Additionally, the ITPA creates a private cause of action for private parties harmed by a business’s non-compliance with the ITPA. If such a private party sues a non-complying business and prevails, the private party will be statutorily entitled to have their monetary damages tripled. Further, the court also possesses the authority to order the non-complying business to pay all of the private party’s reasonable attorney’s fees incurred in bringing the lawsuit. As a result of the tripled damages and ability to award attorney’s fees, the financial liabilities and costs of these lawsuits for a business can quickly add up.
Does your business have information security-related legal obligations beyond the ITPA?
Information security and data breach laws are currently composed of a constantly shifting patchwork of federal and state laws and regulations. If your business operates in multiple states, then it is likely subject to multiple state-level information security legal and regulatory frameworks, each of which must be complied with, in addition to complying with applicable federal laws and regulations. For businesses that operate on a multinational level, foreign laws and international treaties may also affect a business’ legal obligations and liabilities.
An additional, sometimes overlooked, source of information security obligations can be found in contracts. For example, your business may have purchased one or more insurance policies that cover certain information security and data breach events. However, many of these policies will require your business to engage in certain actions or practices both before and after a breach event. Failure by your business to be aware of and conform to these required actions or practices could lead to non-coverage when a breach event does occur.
Because your business’ information security legal obligations can come from so many differing sources, sometimes simply determining which laws, regulations, and contractual terms apply to your business can be one of the most challenging aspects of ensuring your business is complying with its legal obligations. However, ignoring these obligations is not an option. In fact, ignoring these obligations is one of the quickest ways to eventually find your business confronted with complex and expensive legal problems.
What can your business do to protect itself from liability?
The first thing your business needs to do is commit itself to expending the time, energy, and resources necessary to better understand its legal obligations under the ITPA and other information security laws and regulations. Once that understanding is developed, a similar commitment needs to be made to bringing your business into compliance with its legal obligations. Because, at the end of the day, the sorts of actions and behaviors required of a business to comply with the ITPA, and other similar information security laws, are unlikely to occur organically or by accident. Instead, most of these actions and behaviors will only occur if a business engages in intentional, goal-directed decision making, policy enactment, employee training, and ongoing monitoring.
To help guide you through this process, your business will likely need the assistance of outside experts. First, your business will likely need to work with legal counsel that is well-versed in the legal landscape of privacy and information security laws. Such legal counsel can help ensure your business understands its legal obligations, how to come into compliance with those obligations, and how best to plan for future information security breach incidents, when and if they occur. Additionally, working with information security professionals in the IT sector can help ensure that your business is implementing and adhering to current industry standards and best practices.
If your business needs guidance in understanding and complying with the ITPA, or other related information security legal obligations, Brinkley Walser Stoner, PLLC, is here to assist you. Call today to schedule your consultation and let us help your business navigate the many complexities of present-day information security laws and regulations.