North Carolina Identity Theft Protection Act
N.C. Gen. Stat. § 75-60 - § 75-66
NC Gen Stat § 14-113.20, et seq.
NC Gen Stat § 1-539.2C
N.C. Gen. Stat. § 75-60 - § 75-66
Chapter 75 - Monopolies, Trusts and Consumer Protection
Article 2A - Identity Theft Protection Act.
§ 75-60. Title.
§ 75-61. Definitions.
§ 75-62. Social security number protection.
§ 75-63. Security freeze.
§ 75-63.1. Security freeze for protected consumers.
§ 75-64. Destruction of personal information records.
§ 75-65. Protection from security breaches.
§ 75-66. Publication of personal information.
§ 75-60. Title.
This Article shall be known and may be cited as the "Identity Theft Protection Act". (2005-414, s. 1.)
§ 75-61. Definitions.
The following definitions apply in this Article:
(1) "Business". - A sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. Business shall not include any government or governmental subdivision or agency.
(2) "Consumer". - An individual.
(3) "Consumer report" or "credit report". - Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for any of the following:
a. Credit to be used primarily for personal, family, or household purposes.
b. Employment purposes.
c. Any other purpose authorized under 15 U.S.C. § 168l(b).
(4) "Consumer reporting agency". - Any person who, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.
(5) "Credit card". - Has the same meaning as in section 103 of the Truth in Lending Act (15 U.S.C. § 160, et seq.).
(6) "Debit card". - Any card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services.
(7) "Disposal" includes the following:
a. The discarding or abandonment of records containing personal information.
b. The sale, donation, discarding, or transfer of any medium, including computer equipment or computer media, containing records of personal information, or other nonpaper media upon which records of personal information are stored, or other equipment for nonpaper storage of information.
(8) "Encryption". - The use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.
(9) "Person". - Any individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency, or other entity.
(10) "Personal information". - A person's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b). Personal information does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, including name, address, and telephone number, and does not include information made lawfully available to the general public from federal, state, or local government records.
(11) "Proper identification". - Information generally deemed sufficient to identify a person. If a person is unable to reasonably identify himself or herself with the information described above, a consumer reporting agency may require additional information concerning the consumer's employment and personal or family history in order to verify the consumer's identity.
(11a) "Protected consumer". - An individual (i) who is under the age of 16 at the time a request for the placement of a security freeze is made pursuant to G.S. 75-63.1 or (ii) who is incapacitated or for whom a guardian or guardian ad litem has been appointed.
(11b) "Protected consumer security freeze". - A security freeze placed on a protected consumer's credit report or on a protected consumer's file pursuant to G.S. 75-63.1.
(11c) "Protected consumer's file". - A record that (i) identifies a protected consumer, (ii) is created by a consumer reporting agency solely for the purpose of complying with the requirements of G.S. 75-63.1, and (iii) may not be created or used to consider the protected consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
(12) "Records". - Any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.
(13) "Redaction". - The rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number is accessible as part of the data.
(13a) "Representative". - A person who provides to a consumer reporting agency sufficient proof of authority to act on behalf of a protected consumer.
(14) "Security breach". - An incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key shall constitute a security breach. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure.
(15) "Security freeze". - Notice placed in a credit report, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer.
(16) "Sufficient proof of authority". - Either of the following:
a. A certified or official copy of the protected consumer's birth certificate, if the representative is a parent of the protected consumer.
b. Documentation that shows that a representative has authority to act on behalf of a protected consumer, including the following:
1. An order issued by a court of law.
2. A valid power of attorney.
3. A written, notarized statement signed by the person that expressly describes the authority of the representative to act on behalf of a protected consumer.
(17) "Sufficient proof of identification". - Information or documentation that identifies a protected consumer or representative, including the following:
a. A Social Security number or a copy of a Social Security card issued by the Social Security Administration.
b. A certified or official copy of a birth certificate issued by the entity authorized to issue the birth certificate.
c. A copy of a drivers license, an identification card issued by the Division of Motor Vehicles, or any other government-issued identification.
d. A copy of a bill, including a bill for telephone, sewer, septic tank, water, electric, oil, or natural gas service, that shows a name and home address. (2005-414, s. 1; 2015-193, s. 1.)
§ 75-62. Social security number protection.
(a) Except as provided in subsection (b) of this section, a business may not do any of the following:
(1) Intentionally communicate or otherwise make available to the general public an individual's social security number.
(2) Intentionally print or imbed an individual's social security number on any card required for the individual to access products or services provided by the person or entity.
(3) Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted.
(4) Require an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site.
(5) Print an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed.
(6) Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's social security number to a third party without written consent to the disclosure from the individual, when the party making the disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third party lacks a legitimate purpose for obtaining the individual's social security number.
(b) Subsection (a) of this section shall not apply in the following instances:
(1) When a social security number is included in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, contract, or policy; or to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to 15 U.S.C. § 1681(b)(2). A social security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.
(2) To the collection, use, or release of a social security number for internal verification or administrative purposes.
(3) To the opening of an account or the provision of or payment for a product or service authorized by an individual.
(4) To the collection, use, or release of a social security number to investigate or prevent fraud, conduct background checks, conduct social or scientific research, collect a debt, obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq., undertake a permissible purpose enumerated under Gramm Leach Bliley, 12 C.F.R. § 216.13-15, or locate an individual who is missing, a lost relative, or due a benefit, such as a pension, insurance, or unclaimed property benefit.
(5) To a business acting pursuant to a court order, warrant, subpoena, or when otherwise required by law.
(6) To a business providing the social security number to a federal, state, or local government entity, including a law enforcement agency, court, or their agents or assigns.
(7) To a social security number that has been redacted.
(c) A business covered by this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this Article are implemented.
(d) A violation of this section is a violation of G.S. 75-1.1. (2005-414, s. 1.)
§ 75-63. Security freeze.
(a) A consumer may place a security freeze on the consumer's credit report by making a request to a consumer reporting agency in accordance with this subsection. A security freeze shall prohibit, subject to exceptions in subsection (l) of this section, the consumer reporting agency from releasing the consumer's credit report or any information from it without the express authorization of the consumer. When a security freeze is in place, a consumer reporting agency may not release the consumer's credit report or information to a third party without prior express authorization from the consumer. This subsection does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report, provided that the consumer reporting agency does not state or otherwise imply to the third party that the consumer's security freeze reflects a negative credit score, history, report, or rating. A consumer reporting agency shall place a security freeze on a consumer's credit report if the consumer requests a security freeze by any of the following methods:
(1) First-class mail.
(2) Telephone call.
(3) Secure Web site or secure electronic mail connection.
(a1) A nationwide consumer reporting agency, as defined in section 603(p) [15 U.S.C. § 1681a(p)] of the federal Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq., that receives a request from a consumer residing in this State to place a security freeze on the consumer's file, shall provide a notice communicating to the consumer that the freeze is only placed with the consumer reporting agency to which the consumer directed the request. The notice shall provide to the consumer the Web site, postal address, and telephone number of the other nationwide consumer reporting agencies and of the North Carolina Attorney General's Office and shall inform the consumer that he or she may use this information to contact other nationwide consumer reporting agencies to make security freeze requests and obtain information on combating identity theft. No part of the notice to the consumer shall be used to make a solicitation for other goods and services.
(b) A consumer reporting agency shall place a security freeze on a consumer's credit report no later than three business days after receiving a written request from the consumer by mail. A consumer reporting agency that receives such a request electronically or by telephone shall comply with the request within 24 hours of receiving the request.
(c) The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within three business days of placing the freeze and at the same time shall provide the consumer with a unique personal identification number or password, other than the consumer's social security number, to be used by the consumer when providing authorization for the release of the consumer's credit report for a specific period of time, or to a specific party, or for permanently lifting the freeze.
(d) If the consumer wishes to allow the consumer's credit report to be accessed for a specific period of time or by a specific party while a freeze is in place, the consumer shall contact the consumer reporting agency by mail, phone, or electronically, request that the freeze be lifted or lifted with respect to a specific party, and provide all of the following:
(1) Proper identification.
(2) The unique personal identification number or password provided by the consumer reporting agency pursuant to subsection (c) of this section.
(3) The proper information regarding the third party who is authorized to receive the consumer credit report or the time period for which the report shall be available to users of the credit report.
(e) Repealed by Session Laws 2009-355, s. 1, effective October 1, 2009.
(f) A consumer reporting agency that receives a request by mail from a consumer to lift a freeze on a credit report pursuant to subsection (d) of this section shall comply with the request no later than three business days after receiving the request. A consumer reporting agency that receives such a request electronically or by telephone shall comply with the request within 15 minutes of receiving the request.
(g) A consumer reporting agency shall remove, temporarily lift, or lift with respect to a specific third party a freeze placed on a consumer's credit report only in the following cases:
(1) Upon the consumer's request, pursuant to subsections (d) or (j) of this section.
(2) If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer reporting agency intends to remove a freeze upon a consumer's credit report pursuant to this subdivision, the consumer reporting agency shall notify the consumer in writing prior to removing the freeze on the consumer's credit report.
(g1) A consumer reporting agency need not meet the time requirements provided in this section, only for such time as the occurrences prevent compliance, if any of the following occurrences apply:
(1) The consumer fails to meet the requirements of subsection (d) or (j) of this section.
(2) The consumer reporting agency's ability to remove, place, temporarily lift, or lift with respect to a specific party the security freeze is prevented by any of the following:
a. An act of God, including fire, earthquakes, hurricanes, storms, or similar natural disaster or phenomena.
b. Unauthorized or illegal acts by a third party, including terrorism, sabotage, riot, vandalism, labor strikes or disputes disrupting operations, or similar occurrences.
c. Operational interruption, including electrical failure, unanticipated delay in equipment or replacement part delivery, computer hardware or software failures inhibiting response time, or similar disruption.
d. Governmental action, including emergency orders or regulations, judicial or law enforcement action, or similar directives.
e. Regularly scheduled maintenance, during other than normal business hours, of, or updates to, the consumer reporting agency's systems.
f. Commercially reasonable maintenance of, or repair to, the consumer reporting agency's systems that is unexpected or unscheduled.
g. Receipt of a request outside of normal business hours.
(h) If a third party requests access to a consumer credit report on which a security freeze is in effect and this request is in connection with an application for credit or any other use and the consumer does not allow the consumer's credit report to be accessed for that specific period of time, the third party may treat the application as incomplete.
(i) If a consumer requests a security freeze pursuant to this section, the consumer reporting agency shall disclose to the consumer the process of placing and temporarily lifting a security freeze and the process for allowing access to information from the consumer's credit report for a specific period of time or to a specific third party while the security freeze is in place.
(j) A security freeze shall remain in place until the consumer requests that the security freeze be temporarily lifted for a specific period of time or to a specific third party or removed. A consumer reporting agency shall remove a security freeze within 15 minutes of receiving an electronic request for removal from the consumer or within three business days of receiving a written or telephonic request for removal from the consumer, who provides all of the following:
(1) Proper identification.
(2) The unique personal identification number or password provided by the consumer reporting agency pursuant to subsection (c) of this section.
(k) A consumer reporting agency shall require proper identification of the person making a request to place or remove a security freeze.
(l) The provisions of this section do not apply to the use of a consumer credit report by any of the following:
(1) A person, or the person's subsidiary, affiliate, agent, subcontractor, or assignee with whom the consumer has, or prior to assignment had, an account, contract, or debtor-creditor relationship for the purposes of reviewing the active account or collecting the financial obligation owing for the account, contract, or debt.
(2) A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subsection (d) of this section for purposes of facilitating the extension of credit or other permissible use.
(3) Any person acting pursuant to a court order, warrant, or subpoena.
(4) A state or local agency, or its agents or assigns, which administers a program for establishing and enforcing child support obligations.
(5) A state or local agency, or its agents or assigns, acting to investigate fraud, including Medicaid fraud, or acting to investigate or collect delinquent taxes or assessments, including interest and penalties, unpaid court orders, or to fulfill any of its other statutory responsibilities.
(6) A federal, state, or local governmental entity, including law enforcement agency, court, or their agent or assigns.
(7) A person for the purposes of prescreening as defined by the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.
(8) Any person for the sole purpose of providing for a credit file monitoring subscription service to which the consumer has subscribed.
(9) A consumer reporting agency for the purpose of providing a consumer with a copy of the consumer's credit report upon the consumer's request.
(10) Any depository financial institution for checking, savings, and investment accounts.
(11) Any property and casualty insurance company for use in setting or adjusting a rate, adjusting a claim, or underwriting for property and casualty insurance purposes.
(12) A person for the purpose of furnishing or using credit reports for employment purposes pursuant to 15 U.S.C. § 1681b(b) or tenant screening pursuant to 15 U.S.C. § 1681b(a)(3)(F).
(13) A person for the purpose of criminal background record information.
(m) If a security freeze is in place, a consumer reporting agency shall not change any of the following official information in a credit report without sending a written confirmation of the change to the consumer within 30 days of the change being posted to the consumer's file: name, date of birth, social security number, and address. Written confirmation is not required for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and the former address.
(n) The following persons are not required to place in a credit report a security freeze pursuant to this section provided, however, that any person that is not required to place a security freeze on a credit report under the provisions of subdivision (3) of this subsection shall be subject to any security freeze placed on a credit report by another consumer reporting agency from which it obtains information:
(1) A check services or fraud prevention services company, which reports on incidents of fraud or issues authorizations for the purpose of approving or processing negotiable instruments, electronic fund transfers, or similar methods of payment.
(2) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or other similar negative information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.
(3) A consumer reporting agency that does all of the following:
a. Acts only to resell credit information by assembling and merging information contained in a database of one or more credit reporting agencies.
b. Does not maintain a permanent database of credit information from which new credit reports are produced.
(o) A consumer reporting agency shall not charge a fee to put a security freeze in place, remove a freeze, or lift a freeze pursuant to subsection (d) or (j) of this section, provided that any such request is made electronically. If a request to put a security freeze in place is made by telephone or by mail, a consumer reporting agency may charge a fee to a consumer not to exceed three dollars ($3.00), except that a consumer reporting agency may not charge any fee to a consumer over the age of 62, to a victim of identity theft who has submitted a copy of a valid investigative or incident report or complaint with a law enforcement agency about the unlawful use of the victim's identifying information by another person, or to the victim's spouse. A consumer reporting agency shall not charge an additional fee to a consumer who requests to temporarily lift for a specific period of time or to a specific third party, reinstate, or remove a security freeze. A consumer reporting agency shall not charge a consumer for a onetime reissue of a replacement personal identification number. A consumer reporting agency may charge a fee not to exceed three dollars ($3.00) to provide any subsequent replacement personal identification number.
(o1) Repealed by Session Laws 2015-193, s. 2, effective January 1, 2016.
(p) At any time that a consumer is required to receive a summary of rights required under section 609 of the federal Fair Credit Reporting Act, the following notice shall be included:
"North Carolina Consumers Have the Right to Obtain a Security Freeze.
You have a right to place a "security freeze" on your credit report pursuant to North Carolina law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization. A security freeze can be requested in writing by first-class mail, by telephone, or electronically. You also may request a freeze by visiting the following Web site: [URL] or calling the following telephone number: [NUMBER].
The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gains access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding new loans, credit, mortgage, insurance, rental housing, employment, investment, license, cellular phone, utilities, digital signature, Internet credit card transactions, or other services, including an extension of credit at point of sale.
The freeze will be placed within three business days if you request it by mail, or within 24 hours if you request it by telephone or electronically. When you place a security freeze on your credit report, within three business days, you will be sent a personal identification number or a password to use when you want to remove the security freeze, temporarily lift it, or lift it with respect to a particular third party.
A freeze does not apply when you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control, or similar activities.
You should plan ahead and lift a freeze if you are actively seeking credit or services as a security freeze may slow your applications, as mentioned above.
You can remove a freeze, temporarily lift a freeze, or lift a freeze with respect to a particular third party by contacting the consumer reporting agency and providing all of the following:
(1) Your personal identification number or password,
(2) Proper identification to verify your identity, and
(3) Proper information regarding the period of time you want your report available to users of the credit report, or the third party with respect to which you want to lift the freeze.
A consumer reporting agency that receives a request from you to temporarily lift a freeze or to lift a freeze with respect to a particular third party on a credit report shall comply with the request no later than three business days after receiving the request by mail and no later than 15 minutes after receiving a request by telephone or electronically. A consumer reporting agency may charge you up to three dollars ($3.00) to institute a freeze if your request is made by telephone or by mail. A consumer reporting agency may not charge you any amount to freeze, remove a freeze, temporarily lift a freeze, or lift a freeze with respect to a particular third party, if any of the following are true:
(1) Your request is made electronically.
(2) You are over the age of 62.
(3) You are the victim of identity theft and have submitted a copy of a valid investigative or incident report or complaint with a law enforcement agency about the unlawful use of your identifying information by another person, or you are the spouse of such a person.
You have a right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer reporting agency or a user of your credit report."
(q) A violation of this section is a violation of G.S. 75-1.1. (2005-414, s. 1; 2006-158, s. 1; 2009-355, s. 1; 2009-550, s. 5; 2015-193, s. 2.)
§ 75-63.1. Security freeze for protected consumers.
(a) Obligation to Place Security Freeze. - A consumer reporting agency shall place a protected consumer security freeze on the protected consumer's credit report or on the protected consumer's file in accordance with subsection (b) of this section within 30 days of all of the following conditions being satisfied:
(1) The consumer reporting agency receives a request under this section from the protected consumer's representative for the placement of the protected consumer security freeze by any of the following methods:
a. First-class mail.
b. Telephone call.
c. Secure Web site or secure electronic mail connection.
(2) The protected consumer's representative does all of the following:
a. Submits the request to the consumer reporting agency at the address or other point of contact and in the manner specified by the consumer reporting agency.
b. Provides to the consumer reporting agency sufficient proof of identification for both the protected consumer and the representative.
c. Provides to the consumer reporting agency sufficient proof of authority to act on behalf of the protected consumer.
d. Pays to the consumer reporting agency a fee as provided in subsection (d) of this section.
(b) Action Required. - If the placement of a protected consumer security freeze is required under subsection (a) of this section, a consumer reporting agency shall do one of the following, as applicable:
(1) If no consumer report exists. - If the consumer reporting agency does not have a consumer report pertaining to the protected consumer, the consumer reporting agency shall create a protected consumer's file and place a restriction in the protected consumer's file that prohibits the release of the protected consumer's file, any consumer report subsequently created for the consumer, and any information contained in either document except as provided in this section.
(2) If a consumer report exists. - If the consumer reporting agency has a consumer report pertaining to the protected consumer, the consumer reporting agency shall place a restriction on the report that prohibits the release of the consumer report and any information contained in the report except as provided in this section.
(c) Duration of Freeze. - A protected consumer security freeze shall remain in effect until one of the following occurs, in which case the protected consumer security freeze shall be removed within 30 days:
(1) The protected consumer or the protected consumer's representative requests the consumer reporting agency to remove the protected consumer security freeze by doing all of the following:
a. Submitting a request for the removal of the protected consumer security freeze to the consumer reporting agency at the address or other point of contact and in the manner specified by the consumer reporting agency.
b. If the request is being made by the protected consumer, providing to the consumer reporting agency (i) proof that the sufficient proof of authority for the protected consumer's representative is no longer valid and (ii) sufficient proof of identification for the protected consumer.
c. If the request is being made by the representative of a protected consumer, providing to the consumer reporting agency (i) sufficient proof of identification of the protected consumer and the representative and (ii) sufficient proof of authority to act on behalf of the protected consumer.
d. Providing to the consumer reporting agency a fee as provided in subsection (d) of this section.
(2) The consumer reporting agency determines that the protected consumer security freeze was placed based on a material misrepresentation of fact by the protected consumer or the protected consumer's representative.
(d) Fees. - A consumer reporting agency may charge a reasonable fee for each placement or removal of a protected consumer security freeze in accordance with the following:
(1) Fee allowed in certain cases. - Except as provided in subdivision (2) of this subsection, a consumer reporting agency may charge a fee to a consumer not to exceed five dollars ($5.00) for placement or removal of a protected consumer security freeze.
(2) No fee allowed in certain cases. - A fee may not be charged for the placement or removal of a protected consumer security freeze under this section if any of the following conditions are satisfied:
a. The protected consumer's representative has submitted a copy of a valid investigative or incident report or complaint with a law enforcement agency about the unlawful use of the protected consumer's identifying information by another person.
b. A request for placement or removal of a protected consumer security freeze is for a protected consumer who is under the age of 16 at the time of the request and the consumer reporting agency has a consumer report pertaining to the protected consumer.
c. The protected consumer is over the age of 62.
(3) No other fees allowed. - No fee other than those authorized under this subsection may be charged for placement or removal of a protected consumer security freeze.
(e) Exceptions. - This section does not apply to the use of a consumer credit report by any of the following:
(1) A person or the person's subsidiary, affiliate, agent, subcontractor, or assignee with whom the consumer has, or prior to assignment had, an account, contract, or debtor-creditor relationship for the purposes of reviewing the active account or collecting the financial obligation owing for the account, contract, or debt.
(2) Any person acting pursuant to a court order, warrant, or subpoena.
(3) A State or local agency, or its agents or assigns, that administers a program for establishing and enforcing child support obligations.
(4) A State or local agency, or its agents or assigns, acting to investigate fraud, including Medicaid fraud, or acting to investigate or collect delinquent taxes or assessments, including interest and penalties, unpaid court orders, or to fulfill any of its other statutory responsibilities.
(5) A federal, State, or local governmental entity, including a law enforcement agency, court, or its agent or assigns.
(6) A person for the purposes of prescreening as defined by the Fair Credit Reporting Act, 15 U.S.C. § 1681, et seq.
(7) Any person for the sole purpose of providing for a credit file monitoring subscription service to which the protected consumer has subscribed or the representative of the protected consumer has subscribed on behalf of the protected consumer.
(8) A consumer reporting agency for the purpose of providing a protected consumer or representative of a protected consumer with a copy of the protected consumer's credit report upon the request of the protected consumer or the protected consumer's representative.
(9) Any depository financial institution for checking, savings, and investment accounts.
(10) Any property and casualty insurance company for use in setting or adjusting a rate, adjusting a claim, or underwriting for property and casualty insurance purposes.
(11) A person for the purpose of furnishing or using credit reports for employment purposes pursuant to 15 U.S.C. § 1681b(b) or tenant screening pursuant to 15 U.S.C. § 1681b(a)(3)(F).
(12) A person for the purpose of criminal background record information.
(f) The following persons are not required to place a security freeze on a credit report pursuant to this section; provided, however, that any person that is not required to place a security freeze on a credit report under the provisions of subdivision (3) of this subsection shall be subject to any security freeze placed on a credit report by another consumer reporting agency from which it obtains information:
(1) A check services or fraud prevention services company, which reports on incidents of fraud or issues authorizations for the purpose of approving or processing negotiable instruments, electronic fund transfers, or similar methods of payment.
(2) A deposit account information service company, which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or other similar negative information regarding a consumer to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.
(3) A consumer reporting agency that does all of the following:
a. Acts only to resell credit information by assembling and merging information contained in a database of one or more credit reporting agencies.
b. Does not maintain a permanent database of credit information from which new credit reports are produced.
(4) A consumer reporting agency that maintains a database or file that consists of information used for any of the following purposes but that is not used for credit granting purposes:
a. Reporting of criminal record information.
b. Fraud prevention or detection.
c. Reporting personal loss history information.
d. Employment, tenant, or other individual background screening.
(g) Violation. - A violation of this section is a violation of G.S. 75-1.1. (2015-193, s. 3.)
§ 75-64. Destruction of personal information records.
(a) Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.
(b) The reasonable measures must include:
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed.
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed.
(3) Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.
(c) A business may, after due diligence, enter into a written contract with, and monitor compliance by, another party engaged in the business of record destruction to destroy personal information in a manner consistent with this section. Due diligence should ordinarily include one or more of the following:
(1) Reviewing an independent audit of the disposal business's operations or its compliance with this statute or its equivalent.
(2) Obtaining information about the disposal business from several references or other reliable sources and requiring that the disposal business be certified by a recognized trade association or similar third party with a reputation for high standards of quality review.
(3) Reviewing and evaluating the disposal business's information security policies or procedures or taking other appropriate measures to determine the competency and integrity of the disposal business.
(d) A disposal business that conducts business in North Carolina or disposes of personal information of residents of North Carolina must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.
(e) This section does not apply to any of the following:
(1) Any bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm Leach Bliley Act, 15 U.S.C. § 6801, et seq., as amended.
(2) Any health insurer or health care facility that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.
(3) Any consumer reporting agency that is subject to and in compliance with the Federal Credit Reporting Act, 15 U.S.C. § 1681, et seq., as amended.
(f) A violation of this section is a violation of G.S. 75-1.1, but any damages assessed against a business because of the acts or omissions of its nonmanagerial employees shall not be trebled as provided in G.S. 75-16 unless the business was negligent in the training, supervision, or monitoring of those employees. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation. (2005-414, s. 1.)
§ 75-65. Protection from security breaches.
(a) Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, and consistent with any measures necessary to determine sufficient contact information, determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. For the purposes of this section, personal information shall not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password unless this information would permit access to a person's financial account or resources.
(b) Any business that maintains or possesses records or data containing personal information of residents of North Carolina that the business does not own or license, or any business that conducts business in North Carolina that maintains or possesses records or data containing personal information that the business does not own or license shall notify the owner or licensee of the information of any security breach immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in subsection (c) of this section.
(c) The notice required by this section shall be delayed if a law enforcement agency informs the business that notification may impede a criminal investigation or jeopardize national or homeland security, provided that such request is made in writing or the business documents such request contemporaneously in writing, including the name of the law enforcement officer making the request and the officer's law enforcement agency engaged in the investigation. The notice required by this section shall be provided without unreasonable delay after the law enforcement agency communicates to the business its determination that notice will no longer impede the investigation or jeopardize national or homeland security.
(d) The notice shall be clear and conspicuous. The notice shall include all of the following:
(1) A description of the incident in general terms.
(2) A description of the type of personal information that was subject to the unauthorized access and acquisition.
(3) A description of the general acts of the business to protect the personal information from further unauthorized access.
(4) A telephone number for the business that the person may call for further information and assistance, if one exists.
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
(6) The toll-free numbers and addresses for the major consumer reporting agencies.
(7) The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
(e) For purposes of this section, notice to affected persons may be provided by one of the following methods:
(1) Written notice.
(2) Electronic notice, for those persons for whom it has a valid e-mail address and who have agreed to receive communications electronically if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in 15 U.S.C. § 7001.
(3) Telephonic notice provided that contact is made directly with the affected persons.
(4) Substitute notice, if the business demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or if the business does not have sufficient contact information or consent to satisfy subdivisions (1), (2), or (3) of this subsection, for only those affected persons without sufficient contact information or consent, or if the business is unable to identify particular affected persons, for only those unidentifiable affected persons. Substitute notice shall consist of all the following:
a. E-mail notice when the business has an electronic mail address for the subject persons.
b. Conspicuous posting of the notice on the Web site page of the business, if one is maintained.
c. Notification to major statewide media.
(e1) In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice.
(f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.
(g) Any waiver of the provisions of this Article is contrary to public policy and is void and unenforceable.
(h) A financial institution that is subject to and in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, issued on March 7, 2005, by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision; or a credit union that is subject to and in compliance with the Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice, issued on April 14, 2005, by the National Credit Union Administration; and any revisions, additions, or substitutions relating to any of the said interagency guidance, shall be deemed to be in compliance with this section.
(i) A violation of this section is a violation of G.S. 75-1.1. No private right of action may be brought by an individual for a violation of this section unless such individual is injured as a result of the violation.
(j) Causes of action arising under this Article may not be assigned. (2005-414, s. 1; 2009-355, s. 2; 2009-573, s. 10.)
§ 75-66. Publication of personal information.
(a) It shall be a violation of this section for any person to knowingly broadcast or publish to the public on radio, television, cable television, in a writing of any kind, or on the Internet, the personal information of another with actual knowledge that the person whose personal information is disclosed has previously objected to any such disclosure.
(b) As used in this section, "person" means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity, but does not include any:
(1) Government, government subdivision or agency.
(2) Entity subject to federal requirements pursuant to the Health Insurance Portability and Accountability Act (HIPAA).
(c) As used in this section, the phrase "personal information" includes a person's first name or first initial and last name in combination with any of the following information:
(1) Social security or employer taxpayer identification numbers.
(2) Drivers license, State identification card, or passport numbers.
(3) Checking account numbers.
(4) Savings account numbers.
(5) Credit card numbers.
(6) Debit card numbers.
(7) Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).
(8) Digital signatures.
(9) Any other numbers or information that can be used to access a person's financial resources.
(10) Biometric data.
(11) Fingerprints.
(12) Passwords.
(d) Nothing in this section shall:
(1) Limit the requirements or obligations under any other section of this Article, including, but not limited to, G.S. 75-62 and G.S. 75-65.
(2) Apply to the collection, use, or release of personal information for a purpose permitted, authorized, or required by any federal, State, or local law, regulation, or ordinance.
(3) Apply to data integration efforts to implement the State's business intelligence strategy as provided by law or under contract.
(e) Any person whose property or person is injured by reason of a violation of this section may sue for civil damages pursuant to the provisions of G.S. 1-539.2C. (2007-534, s. 2; 2012-142, s. 6A.7A(h).)
§ 75-67. Reserved for future codification purposes.
§ 75-68. Reserved for future codification purposes.
§ 75-69. Reserved for future codification purposes.
§ 75-70. Reserved for future codification purposes.
§ 75-71. Reserved for future codification purposes.
§ 75-72. Reserved for future codification purposes.
§ 75-73. Reserved for future codification purposes.
§ 75-74. Reserved for future codification purposes.
§ 75-75. Reserved for future codification purposes.
§ 75-76. Reserved for future codification purposes.
§ 75-77. Reserved for future codification purposes.
§ 75-78. Reserved for future codification purposes.
§ 75-79. Reserved for future codification purposes.
Identity Theft Protection Act (North Carolina General Statutes Sec. 75-60 through 75-65, added by laws of 2005, Chapter 414, approved September 21, 2005, effective October 1, 2005. Amended by Laws of 2006, Chapter 158, approved and effective July 23, 2006; Laws of 2009, Session Law 355, approved July 27, 2009, effective October 1, 2009; and Laws of 2009, Session Law 550, approved August 28, 2009, effective October 1, 2009.)
NC Gen Stat § 14-113.20
Chapter 14 - Criminal Law
Article 19C - Identity Theft.
§ 14-113.20. Identity theft.
§ 14-113.20A. Trafficking in stolen identities.
§ 14-113.21. Venue of offenses.
§ 14-113.21A. Investigation of offenses.
§ 14-113.22. Punishment and liability.
§ 14-113.23. Authority of the Attorney General.
§ 14-113.24. Credit, charge, or debit card numbers on receipts.
§ 14-113.25. Sale of certain cash registers and other receipt printing machines.
§ 14-113.20. Identity theft.
(a) A person who knowingly obtains, possesses, or uses identifying information of another person, living or dead, with the intent to fraudulently represent that the person is the other person for the purposes of making financial or credit transactions in the other person's name, to obtain anything of value, benefit, or advantage, or for the purpose of avoiding legal consequences is guilty of a felony punishable as provided in G.S. 14-113.22(a).
(b) The term "identifying information" as used in this Article includes the following:
(1) Social security or employer taxpayer identification numbers.
(2) Drivers license, State identification card, or passport numbers.
(3) Checking account numbers.
(4) Savings account numbers.
(5) Credit card numbers.
(6) Debit card numbers.
(7) Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).
(8) Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.
(9) Digital signatures.
(10) Any other numbers or information that can be used to access a person's financial resources.
(11) Biometric data.
(12) Fingerprints.
(13) Passwords.
(14) Parent's legal surname prior to marriage.
(c) It shall not be a violation under this Article for a person to do any of the following:
(1) Lawfully obtain credit information in the course of a bona fide consumer or commercial transaction.
(2) Lawfully exercise, in good faith, a security interest or a right of offset by a creditor or financial institution.
(3) Lawfully comply, in good faith, with any warrant, court order, levy, garnishment, attachment, or other judicial or administrative order, decree, or directive, when any party is required to do so. (1999-449, s. 1; 2000-140, s. 37; 2002-175, s. 4; 2005-414, s. 6.)
§ 14-113.20A. Trafficking in stolen identities.
(a) It is unlawful for a person to sell, transfer, or purchase the identifying information of another person with the intent to commit identity theft, or to assist another person in committing identity theft, as set forth in G.S. 14-113.20.
(b) A violation of this section is a felony punishable as provided in G.S. 14-113.22(a1). (2002-175, s. 5; 2005-414, s. 7(2).)
§ 14-113.21. Venue of offenses.
In any criminal proceeding brought under G.S. 14-113.20, the crime is considered to be committed in the county where the victim resides, where the perpetrator resides, where any part of the identity theft took place, or in any other county instrumental to the completion of the offense, regardless of whether the defendant was ever actually present in that county. (1999-449, s. 1; 2005-414, ss. 2, 7.)
§ 14-113.21A. Investigation of offenses.
(a) A person who has learned or reasonably suspects that the person has been the victim of identity theft may contact the local law enforcement agency that has jurisdiction over the person's actual residence. Notwithstanding the fact that jurisdiction may lie elsewhere for investigation and prosecution of a crime of identity theft, the local law enforcement agency may take the complaint, issue an incident report, and provide the complainant with a copy of the report and may refer the report to a law enforcement agency in that different jurisdiction.
(b) Nothing in this section interferes with the discretion of a local law enforcement agency to allocate resources for investigations of crimes. A complaint filed or report issued under this section is not required to be counted as an open case for purposes of compiling open case statistics. (2005-414, s. 3.)
§ 14-113.22. Punishment and liability.
(a) A violation of G.S.14-113.20(a) is punishable as a Class G felony, except it is punishable as a Class F felony if: (i) the victim suffers arrest, detention, or conviction as a proximate result of the offense, or (ii) the person is in possession of the identifying information pertaining to three or more separate persons.
(a1) A violation of G.S. 14-113.20A is punishable as a Class E felony.
(a2) The court may order a person convicted under G.S. 14-113.20 or G.S. 14-113.20A to pay restitution pursuant to Article 81C of Chapter 15A of the General Statutes for financial loss caused by the violation to any person. Financial loss included under this subsection may include, in addition to actual losses, lost wages, attorneys' fees, and other costs incurred by the victim in correcting his or her credit history or credit rating, or in connection with any criminal, civil, or administrative proceeding brought against the victim resulting from the misappropriation of the victim's identifying information.
(b) Notwithstanding subsection (a), (a1), or (a2) of this section, any person who commits an act made unlawful by G.S. 14-113.20 or G.S. 14-113.20A may also be liable for damages under G.S. 1-539.2C.
(c) In any case in which a person obtains identifying information of another person in violation of this Article, uses that information to commit a crime in addition to a violation of this Article, and is convicted of that additional crime, the court records shall reflect that the person whose identity was falsely used to commit the crime did not commit the crime. (1999-449, s. 1; 2002-175, ss. 6, 7; 2003-206, s. 3.)
§ 14-113.23. Authority of the Attorney General.
The Attorney General may investigate any complaint regarding identity theft under this Article. In conducting these investigations, the Attorney General has all the investigative powers available to the Attorney General under Article 1 of Chapter 75 of the General Statutes. The Attorney General shall refer all cases of identity theft under G.S. 14-113.20 to the district attorney in the county where the crime was deemed committed in accordance with G.S. 14-113.21. (1999-449, s. 1; 2005-414, s. 7(2).)
§ 14-113.24. Credit, charge, or debit card numbers on receipts.
(a) For purposes of this section, the word "person" means the person that owns or leases the cash register or other machine or device that electronically prints receipts of credit, charge, or debit card transactions.
(b) Except as provided in this section, no person that accepts credit, charge, or debit cards for the transaction of business shall print more than five digits of the credit, charge, or debit card account number or the expiration date upon any receipt with the intent to provide the receipt to the cardholder at the point of sale. This section applies to a person who employs a cash register or other machine or device that electronically prints receipts for credit, charge, or debit card transactions. This section does not apply to a person whose sole means of recording a credit, charge, or debit card number for the transaction of business is by handwriting or by an imprint or copy of the credit, charge, or debit card.
(c) A person who violates this section commits an infraction as defined in G.S. 14-3.1 and is subject to a penalty of up to five hundred dollars ($500.00) per violation, not to exceed five hundred dollars ($500.00) in any calendar month or two thousand dollars ($2,000) in any calendar year. A person who receives a citation for violation of this section is not subject to the penalty provided in this subsection if the person establishes in court that the person came into compliance with this section within 30 days of the issuance of the citation and the person has remained in compliance with this section. (2003-206, s. 1; 2003-206, s. 2.)
§ 14-113.25. Sale of certain cash registers and other receipt printing machines.
(a) No person shall sell or offer to sell a cash register or other machine or device that electronically prints receipts of credit, charge, or debit card transactions that cannot be programmed or operated to produce a receipt with five or fewer digits of the credit, charge, or debit card account number and no expiration date printed on the receipt. This subsection applies to cash registers or other machines or devices sold or offered for sale for use in the ordinary course of business in this State.
(b) A person who violates this section commits an infraction as defined in G.S. 14-3.1 and is subject to a penalty of up to five hundred dollars ($500.00) per violation. For purposes of assessing penalties pursuant to this subsection, the sale or offer for sale of each individual cash register or other machine or device that electronically prints receipts of credit, charge, or debit card transactions in violation of this section is treated as a separate violation. (2003-206, s. 1.)
§ 14-113.26. Reserved for future codification purposes.
§ 14-113.27. Reserved for future codification purposes.
§ 14-113.28. Reserved for future codification purposes.
§ 14-113.29. Reserved for future codification purposes.
NC Gen Stat § 1-539.2C
Chapter 1 - Civil Procedure
Article 43 - Nuisance and Other Wrongs.
§ 1-539.2C. Damages for identity theft.
(a) Any person whose property or person is injured by reason of an act made unlawful by Article 19C of Chapter 14 of the General Statutes, or a violation of G.S. 75-66, may sue for civil damages. For each unlawful act, or each violation of G.S. 75-66, damages may be
(1) In an amount of up to five thousand dollars ($5,000), but no less than five hundred dollars ($500.00), or
(2) Three times the amount of actual damages,
whichever amount is greater. A person seeking damages as set forth in this section may also institute a civil action to enjoin and restrain future acts that would constitute a violation of this section. The court, in an action brought under this section, may award reasonable attorneys' fees to the prevailing party.
(b) If the identifying information of a deceased person is used in a manner made unlawful by Article 19C of Chapter 14 of the General Statutes, or by a violation of G.S. 75-66, the deceased person's estate shall have the right to recover damages pursuant to subsection (a) of this section.
(c) The venue for any civil action brought under this section shall be the county in which the plaintiff resides or any county in which any part of the alleged violation of G.S. 75-66, G.S. 14-113.20 or G.S. 14-113.20A took place, regardless of whether the defendant was ever actually present in that county. Civil actions under this section must be brought within three years from the date on which the identity of the wrongdoer was discovered or reasonably should have been discovered.
(d) Civil action under this section does not depend on whether or not a criminal prosecution has been or will be instituted under Article 19C of Chapter 14 of the General Statutes for the acts which are the subject of the civil action. The rights and remedies provided by this section are in addition to any other rights and remedies provided by law. (2002-175, s. 8; 2005-414, s. 9; 2007-534, s. 3.)
For more information, see here: https://ncleg.gov/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html
AND
https://ncleg.gov/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_14/Article_19C.html
AND
AND
https://ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_1/GS_1-539.2C.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.