Keeping customers’ confidential information private is critical to fighting identity theft. Unfortunately, the Department of Justice continues to get reports of businesses simply dumping or abandoning boxes of employees’ or customers’ personal data. Such records are deposited into dumpsters when a business moves, closes, or just reorganizes its files.  The problem drew public attention when employees of a mortgage lender were observed depositing loan application files into a dumpster outside the lender’s branch office in Charlotte.  Reporters from the TV station then retrieved some of the files and called customers of the lender and interviewed them on air, giving the company some really bad publicity.

Throwing information containing personal data in the trash is not only bad business; it is also illegal under North Carolina’s Identity Theft Protection Act of 2005. That law requires businesses that operate in North Carolina or possess personal information of North Carolina residents to protect that information from unauthorized access or use. Even outdated records containing personal and financial information must be disposed of properly.

A business could be subject to civil penalties of as much as $5,000 per violation, if the Attorney General’s office pursues the matter under the provisions of Chapter 75 of the North Carolina General Statutes.  If the business also happens to be a mortgage broker or mortgage lender licensed by the Office of the Commissioner of Banks (OCOB), each violation could result in a fine of $10,000 per violation under the Mortgage Lending Act. Each piece of private information can be considered a separate violation. So loss of one computer disk or one page of a spreadsheet can contain numerous violations.  Violations occur when files are dumped in dumpsters, but may also occur if a business donates a computer which holds credit card numbers or Social Security numbers on the hard drive.

Information is considered personal when it includes: An individual’s Social Security number, employer Taxpayer Identification number, driver’s license or state identification number, passport number, financial information such as a checking, savings, credit card or debit card number, personal identification number (PIN), digital signature, biometric data, fingerprints, or any number that can be used to access financial resources. 

Businesses must burn, pulverize or shred papers that contain personal information rather than simply throwing the papers away. Electronic records and other non-paper records that contain personal information must be physically destroyed or erased.

Businesses can hire a document destruction company to do much of this work for them. However, the law requires due diligence before entering into a contract with a destruction company, which includes doing one or more of the following:

(1)   Reviewing an outside audit of the company’s operations or compliance with the Identity Theft Protection Act;

(2)   Checking the company’s references or using reliable sources and confirming that the company is certified by a recognized trade association; or

(3)   Reviewing the company’s own security policies or determining the company’s competency and integrity by other means.

For more information about the requirements of the document destruction provision, see N. C. Gen. Stat. § 75-64.  For general information on identity theft, go to www. noscamnc.gov.

G.S. sec. 53-243.13 provides that:

Every licensee shall make and keep the accounts, correspondence, memoranda, papers, books, and other records as prescribed in rules adopted by the Commissioner. All records shall be preserved for three years unless the Commissioner, by rule, prescribes otherwise for particular types of records.

Moreover, the North Carolina Administrative Code, 04 NCAC 03M .0502, provides that such records “shall be secured against unauthorized access and damage in an accessible location within the State of North Carolina.” 

Identity Theft Protection Act

North Carolina’s Identity Theft Protection Act (codified at G.S. 75-60 et seq.) has taken these document retention and destruction requirements several steps further, requiring that:

(a)   Any business that… maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.

(b)   The reasonable measures must include:

(1)   Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed.

(2)   Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed.

(3)   Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.

(c)  A business may, after due diligence, enter into a written contract with, and monitor compliance by, another party engaged in the business of record destruction to destroy personal information in a manner consistent with this section…

(e)       This section does not apply to… [a]ny bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm Leach Bliley Act, 15 U.S.C. § 6801, et seq., as amended...

Furthermore, in the wake of a known security breach, any business regulated by the Identity Theft Protection Act must give the affected parties notice, as set forth under G.S. §75-65.  A violation of the Identity Theft Protection Act is declared an unfair trade practice under G.S. § 75-1.1.