NC Identity Theft Act: Detailed Summary

Unless otherwise noted, the following requirements have been effective since December 1, 2005.

  1. Collect SSNs and other identifying information only for legitimate purposes or when required by law
  2. Minimize the instances in which this information is disseminated either internally and externally
  3. Do not collect a social security number from an individual unless authorized by law to do so or unless the collection of the social security number is otherwise imperative for the performance of that agency’s duties and responsibilities.
  4. Social security numbers collected by an agency must be relevant to the purpose for which collected and shall not be collected until and unless the need for social security numbers has been clearly documented.
  5. Segregate that number (SSN) on a separate page from the rest of the record, or as otherwise appropriate, in order that the social security number can be more easily redacted pursuant to a valid public records request
  6. Electronic email messages should transmit SSNs in attached files that are password protected/encrypted and can be easily separated from primary communication messages.
  7. When collecting a social security number provide, at the time of or prior to upon request, a statement of the purpose or purposes for which the social security number is being collected and used.
  8. Do not use the social security number for any purpose other than the purpose stated.
  9. Do not intentionally communicate or otherwise make available to the general public a person’s social security number or other identifying information. “Identifying information,” as used in this subdivision, shall have the same meaning as in G.S. 14-113.20(b), except it shall not include electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent’s legal surname prior to marriage, or drivers license numbers appearing on law enforcement records.
  10. Do not intentionally print or embed an individual’s social security number on any card required for the individual to access government services. [Effective 7/1/07]
  11. Do not require an individual to transmit the individual’s social security number over the Internet, unless the connection is secure or the social security number is encrypted. [Effective 7/1/07]
  12. Do not require an individual to use the individual’s social security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website. [Effective 7/1/07]
  13. Do not print an individual’s social security number on any materials that are mailed to the individual, unless state or federal law requires that the social security number be on the document to be mailed. A social security number that is permitted to be mailed under this subdivision may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened. [Effective 7/1/07]
  14. Agencies of the State shall evaluate and report annually by January 1 to the General Assembly about the agency’s efforts to reduce the dissemination of personal identifying information. The evaluation shall include:
  15. review of public forms
  16. use of random personal identification numbers
  17. restriction of access to personal identifying information
  18. reduction of use of personal identifying information when it is not necessary
  19. Special attention shall be given to the use, collection, and dissemination of social security numbers. If the collection of a social security number is found to be unwarranted, the State agency shall immediately discontinue the collection of social security numbers for that purpose.”
  20. Identifying information includes:
  21. Social security or employer taxpayer identification numbers.
  22. Drivers license, State identification card, or passport numbers.
  23. Checking account numbers.
  24. Savings account numbers.
  25. Credit card numbers.
  26. Debit card numbers.
  27. Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).
  28. Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names.
  29. Digital signatures.
  30. Any other numbers or information that can be used to access a person’s financial resources.
  31. Biometric data.
  32. Fingerprints.
  33. Passwords.
  34. Parent’s legal surname prior to marriage.

Visit the NC Legislative website to view details of the NC Identity Theft Protection Act of 2005.

For additional resources for protecting sensitive data refer to Guidelines to Protect Sensitive Data.


Article ID: 67424
Fri 11/8/19 4:04 PM
Fri 3/25/22 11:16 AM
Service Owner
Information Security