Act". (2005-414, s. 1.)

§ 75-61. Definitions.

The following definitions apply in this Article:

(1) "Business". A sole proprietorship, partnership, corporation, association, or other group, however
organized and whether or not organized to operate at a profit. The term includes a financial institution
organized, chartered, or holding a license or authorization certificate under the laws of this State, any other
state, the United States, or any other country, or the parent or the subsidiary of any such financial
institution. Business shall not include any government or governmental subdivision or agency.

(2) "Consumer". An individual.

(3) "Consumer report" or "credit report". Any written, oral, or other communication of any information by a
consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of living which is used or expected to be
used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's
eligibility for any of the following:

a. Credit to be used primarily for personal, family, or household purposes.

b. Employment purposes.

c. Any other purpose authorized under 15 U.S.C. § 168l(b).

(4) "Consumer reporting agency". Any person who, for monetary fees, dues, or on a cooperative
nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer
credit information or other information on consumers for the purpose of furnishing consumer reports to third
parties.

(5) "Credit card". Has the same meaning as in section 103 of the Truth in Lending Act (15 U.S.C. § 160,
et seq.).

(6) "Debit card". Any card or device issued by a financial institution to a consumer for use in initiating an
electronic fund transfer from the account holding assets of the consumer at such financial institution, for the
purpose of transferring money between accounts or obtaining money, property, labor, or services.

(7) "Disposal" includes the following:

a. The discarding or abandonment of records containing personal information.

b. The sale, donation, discarding, or transfer of any medium, including computer equipment or
computer media, containing records of personal information, or other nonpaper media upon which
records of personal information are stored, or other equipment for nonpaper storage of information.


BIERCE & KENERSON, P.C.









Tel: (212) 840-0080

www.biercekenerson.com










Fax: (212) 840-6210


















- 2 -

Updated July 23, 2007.
Subsequent changes may have occurred. This publication is for general information, and should not be considered legal advice or accurate law.
(8) "Encryption". The use of an algorithmic process to transform data into a form in which the data is
rendered unreadable or unusable without use of a confidential process or key.

(9) "Person". Any individual, partnership, corporation, trust, estate, cooperative, association, government,
or governmental subdivision or agency, or other entity.

(10) "Personal information". A person's first name or first initial and last name in combination with
identifying information as defined in G.S. 14-113.20(b). Personal information does not include publicly
available directories containing information an individual has voluntarily consented to have publicly
disseminated or listed, including name, address, and telephone number, and does not include information
made lawfully available to the general public from federal, state, or local government records.

(11) "Proper identification". Information generally deemed sufficient to identify a person. If a person is
unable to reasonably identify himself or herself with the information described above, a consumer reporting
agency may require additional information concerning the consumer's employment and personal or family
history in order to verify the consumer's identity.

(12) "Records". Any material on which written, drawn, spoken, visual, or electromagnetic information is
recorded or preserved, regardless of physical form or characteristics.

(13) "Redaction". The rendering of data so that it is unreadable or is truncated so that no more than the
last four digits of the identification number is accessible as part of the data.

(14) "Security breach". An incident of unauthorized access to and acquisition of unencrypted and
unredacted records or data containing personal information where illegal use of the personal information
has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer. Any
incident of unauthorized access to and acquisition of encrypted records or data containing personal
information along with the confidential process or key shall constitute a security breach. Good faith
acquisition of personal information by an employee or agent of the business for a legitimate purpose is not
a security breach, provided that the personal information is not used for a purpose other than a lawful
purpose of the business and is not subject to further unauthorized disclosure.

(15) "Security freeze". Notice placed in a credit report, at the request of the consumer and subject to
certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the
consumer's credit report or any information derived from it without the express authorization of the
consumer. (2005-414, s. 1.)

§ 75-62. Social security number protection.

(a) Except as provided in subsection (b) of this section, a business may not do any of the following:

(1) Intentionally communicate or otherwise make available to the general public an individual's social
security number.

(2) Intentionally print or imbed an individual's social security number on any card required for the individual
to access products or services provided by the person or entity.

(3) Require an individual to transmit his or her social security number over the Internet, unless the
connection is secure or the social security number is encrypted.

(4) Require an individual to use his or her social security number to access an Internet Web site, unless a
password or unique personal identification number or other authentication device is also required to access
the Internet Web site.

(5) Print an individual's social security number on any materials that are mailed to the individual, unless
state or federal law requires the social security number to be on the document to be mailed.


- 3 -

Updated July 23, 2007.
Subsequent changes may have occurred. This publication is for general information, and should not be considered legal advice or accurate law.
(6) Sell, lease, loan, trade, rent, or otherwise intentionally disclose an individual's social security number to
a third party without written consent to the disclosure from the individual, when the party making the
disclosure knows or in the exercise of reasonable diligence would have reason to believe that the third
party lacks a legitimate purpose for obtaining the individual's social security number.

(b) Subsection (a) of this section shall not apply in the following instances:

(1) When a social security number is included in an application or in documents related to an enrollment
process, or to establish, amend, or terminate an account, contract, or policy; or to confirm the accuracy of
the social security number for the purpose of obtaining a credit report pursuant to 15 U.S.C. § 1681(b)(2). A
social security number that is permitted to be mailed under this section may not be printed, in whole or in
part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the
envelope having been opened.

(2) To the collection, use, or release of a social security number for internal verification or administrative
purposes.

(3) To the opening of an account or the provision of or payment for a product or service authorized by an
individual.

(4) To the collection, use, or release of a social security number to investigate or prevent fraud, conduct
background checks, conduct social or scientific research, collect a debt, obtain a credit report from or
furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. § 1681, et
seq., undertake a permissible purpose enumerated under Gramm Leach Bliley, 12 C.F.R. § 216.13-15, or
locate an individual who is missing, a lost relative, or due a benefit, such as a pension, insurance, or
unclaimed property benefit.

(5) To a business acting pursuant to a court order, warrant, subpoena, or when otherwise required by law.

(6) To a business providing the social security number to a federal, state, or local government entity,
including a law enforcement agency, court, or their agents or assigns.

(7) To a social security number that has been redacted.

(c)
A business covered by this section shall make reasonable efforts to cooperate, through systems testing
and other means, to ensure that the requirements of this Article are implemented.

(d) A violation of this section is a violation of G.S. 75-1.1. (2005-414, s. 1.)

§ 75-63. Security freeze.

(a) A consumer may place a security freeze on the consumer's credit report by making a request in writing by
certified mail to a consumer reporting agency. A security freeze shall prohib