With the recommendation of NC's Safer-At-Home Order, TAA Staff are all working remotely. The fastest way to reach us is via email

Data Privacy and Protections: What you don’t know that you signed up for!

Posted By: Norm Praet the ApartMentor ,

Reports of data breaches are so frequent in the news that we, as a society, are becoming de-sensitized to them. Based on a recent review, the author had information compromised in a data breach on ten different occasions! Currently, data breach laws are different in every state making it challenging for businesses who operate in multiple states. California has recently passed the most sweeping and, some would say, onerous data privacy protections modeled on the European Union laws. Due to this disparity between states, the National Apartment Association has included a national data privacy law among its top legislative priorities.

Reports of data breaches are so frequent in the news that we, as a society, are becoming de-sensitized to them. Based on a recent review, the author had information compromised in a data breach on ten different occasions! Currently, data breach laws are different in every state making it challenging for businesses who operate in multiple states. California has recently passed the most sweeping and, some would say, onerous data privacy protections modeled on the European Union laws. Due to this disparity between states, the National Apartment Association has included a national data privacy law among its top legislative priorities. Now that you are hopefully sufficiently concerned, we will look at the North Carolina Identity Theft Protection Act (ITPA). The ITPA was passed in 2005 and has not been changed in any significant way since then. Beginning in 2018, new bills were filed seeking to amend or replace the law in each session of the North Carolina Congress, but none have been successful.

Primarily, the ITPA requires that businesses: 1) protect personal information such as social security numbers, 2) dispose of records in a manner that protects sensitive information, 3) institute policies to protect data, including employee training, 4) and notify affected North Carolina residents in the event of a data breach.

The first of the four requirements above is pretty straightforward. You must not disclose an applicant or resident’s social security number unless authorized to do so.

Regarding the second requirement, you must properly dispose of sensitive information requires that you use reasonable measures that must include: 1) Implementing and monitoring compliance with procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed, and 2) Implementing and monitoring compliance with procedures that require the destruction  of electronic media containing personal information so that the information cannot practicably be read or reconstructed.

The third requirement simply requires you to train your employees in your procedures for proper destruction and maintain the official policies in writing.

The final requirement is that residents be notified of a breach. A breach occurs when the following information is obtained by someone who should not have the information: First name, or initial, and last name, PLUS the social security number; driver’s license number, state ID or passport number; financial account numbers; etc. Disclosure of the following information will not be a breach: electronic identification numbers, electronic mail names or addresses, Internet account numbers, Internet identification names, parent's legal surname prior to marriage, or a password, unless this information would permit access to a person's financial account or resources.

In the case of a breach, you should: 1) determine who is affected by the breach and what information was shared, 2) restore the security of your system, 3) notify the affected person(s), and 4) if more than 1,000 people are affected, you must notify the NC attorney general and consumer reporting agencies. The notice must be made without unreasonable delay unless law enforcement asks you to wait. The ITPA requires specific information that must be placed in the notice and provides information as to how the notice may be provided.

Finally, a violation of the ITPA is considered an unfair and deceptive trade practice. So, failure to comply may result in significant penalties.

Now that you are definitely concerned about this issue, if you become aware of a breach, you likely will want to contact both your insurance carrier for coverage and your attorney for guidance as to how best to comply with the ITPA requirements.


This article is not legal advice and should not be relied upon as such.

This article was written and published with permission by Brownlee Whitlow & Praet, PLLC and was originally published in the 2019 November-December issue of the ApartMentor magazine.