A new, broadly-worded North Carolina law regulates, among other things, the use and disposal of documents containing social security numbers and other personal information.  This law has many implications for business, including implications for Human Resources.

Employers should start taking steps now to protect employees' social security numbers, including using identification mechanisms that do not include social security numbers.  Employers should also promptly adopt written policies and procedures for the disposal of personal data.

• Starting December 1, 2005, North Carolina employers must implement written policies and procedures for the secure disposal of paper and electronic documents containing "personal information."  (For general information on disposal policies and procedures, see June 2005 TIP discussing employer's disposal of criminal background checks.)
• "Personal information" is defined broadly to include not only social security numbers but also, for example, drivers' license numbers, checking or savings account numbers, credit or debit card numbers, email addresses, pin numbers, passwords, and parent's legal surname prior to marriage.
• Starting October 1, 2006, use of employees' social security numbers will also be restricted.  Employers must take reasonable steps, including conducting systems tests, to ensure compliance with the law.  Highlights include:
  
  • Restrictions on disclosure of social security numbers without employee's written consent.
  • Restrictions on requiring employees to transmit unencrypted social security numbers over the Internet unless transmitted over secure connection.
  • Restrictions on printing or imbedding social security numbers on cards that are required to access products or services, including identification badges, security cards, and insurance cards.
  • Restrictions on using social security numbers to access Internet Website unless password or other authentication device is also required.
  • Restrictions on transmitting documents that contain an employee's social security number by e-mail or regular mail.
• Violation of Identity Theft Protection Act is an unfair and deceptive trade practice that could expose an employer to the risk of treble damages and attorneys' fees.