North Carolina Businesses not meeting identity prevention requirements

North Carolina Businesses not meeting identity prevention requirements

Smith Moore LLP
11/30/2006 – Thursday November 30, 12:35 pm ET
Consequences of failing to comply with the state’s Identity Theft Protection Act could be severe.

RALEIGH, N.C., Nov. 30 /PRNewswire/ — On December 1, North Carolina’s Identity Theft Protection Act (ITPA) will turn one year old. But according to an attorney whose practice includes helping businesses comply with the ITPA, the vast majority of companies across the state still have not developed nor implemented the written identity theft protection policies the law requires.

“The ITPA specifies that a written personal information security policy must be in place for all companies that do business in North Carolina, or do business with North Carolina residents,” says Beth Scherer, a lawyer in the Raleigh office of Smith Moore LLP. “Many business people are not aware of the law, or do not think it applies to them. They don’t realize that there are now stringent requirements for maintaining the security of personal information like social security numbers, bank account numbers, even email addresses and telephone numbers in some cases.”

Over the past year, Scherer and other Smith Moore attorneys have conducted ITPA seminars for nearly 20 chambers of commerce and other business groups. “From the response we see at these meetings, it’s not an exaggeration to say that three-fourths of the business people in North Carolina have no idea that the ITPA has anything to do with their operations,” Scherer says. “And a lot more than that have not taken any steps to put policies in place to protect the personal identifying information of their employees, customers or clients.”

Scherer says, “The ITPA is clear in its mandate to companies of all sizes that keeping personal identifying information secure is their responsibility.” She adds that the law includes tough penalties for businesses if a security breach results in a customer or employee becoming a victim of identity theft. “The business could have to pay the victim three times the amount of monetary damage the victim incurred, plus attorney fees and possible fines assessed by the state Attorney General’s office,” she explains. “In a case where identity theft costs a victim thousands of dollars, if it’s determined that a business did not have the required policies in place to prevent identity theft, the financial impact of that oversight could literally put the company out of business.”

Scherer says the first thing businesses should do to meet the requirements of the ITPA is to work with a qualified attorney to develop formal, written policies and procedures that spell out how the company will address the security of personal identifying information. The policy should define what is considered to be personal identifying information, and make clear how the company will:

* Protect the confidentiality and security of personal identifying
* Assure that it collects only necessary personal information;
* Reduce the use of social security numbers;
* Ensure security during the disposal of identifying information;
* Train employees about personal information security;
* Monitor compliance with security procedures; and
* Discipline employees who do not follow security procedures.

Once it has an ITPA policy in place, a business is required to train employees and monitor business activities to make sure that their policy is being followed, Scherer says.

Contact: Steve Powell
Bouvier Kelly, Inc.
For Smith Moore LLP

Source: Smith Moore LLP

paper shredding services