GENERAL ASSEMBLY OF NORTH CAROLINA

SESSION 2005

H                                                                                                                                                    1

HOUSE BILL 1248*

 

 

 

 

Short Title:     Identity Theft Protection Act of 2005.

(Public)

Sponsors:

Representatives Goforth, Sutton, Kiser, Ray (Primary Sponsors);  Adams, Barnhart, Bell, Bordsen, Carney, Coates, Coleman, Cunningham, Dickson, Dollar, England, Faison, Farmer-Butterfield, Fisher, Gibson, Glazier, Goodwin, Hackney, Haire, Harrell, Harrison, Jeffus, Ed Jones, Martin, McLawhorn, Owens, Rapp, Ross, Tucker, Underhill, Wainwright, Williams, and Wray.

Referred to:

Judiciary III.

April 18, 2005

A BILL TO BE ENTITLED

AN ACT enacting the identity theft protection act of 2005.

The General Assembly of North Carolina enacts:

SECTION 1.  Chapter 75 of the General Statutes is amended by adding a new Article to read:

"Article 2A.

"Identity Theft Protection Act.

"§ 75-60.  Title.

This Article shall be known and may be cited as the "Identity Theft Protection Act".

"§ 75-61.  Definitions.

The following definitions apply in this Article:

(1)       "Business". - A sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit. The term includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. Business shall not include any government or governmental subdivision or agency.

(2)       "Consumer". - An individual.

(3)       "Consumer reporting agency". - Any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.

(4)       "Consumer report" or "credit report". - Any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:

a.         Credit to be used primarily for personal, family, or household purposes;

b.         Employment purposes; or

c.         Any other purpose authorized under 15 U.S.C. § 168lb.

(5)       "Credit card". - Has the same meaning as in section 103 of the Truth in Lending Act (15 U.S.C. § 160, et seq.).

(6)       "Credit header information". - Written, oral, or other communication of any information by a consumer reporting agency regarding the social security number of the consumer, or any derivative thereof, and any other personally identifiable information of the consumer that is derived using any nonpublic personal information, except the name, address, and telephone number of the consumer if all are listed in a residential telephone directory available in the locality of the consumer.

(7)       "Debit card". - Any card or device issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account holding assets of the consumer at such financial institution, for the purpose of transferring money between accounts or obtaining money, property, labor, or services.

(8)       "Disposal" includes:

a.         The discarding or abandonment of records containing personal information, and

b.         The sale, donation, discarding or transfer of any medium, including computer equipment, or computer media, containing records of personal information, or other nonpaper media upon which records of personal information are stored, or other equipment for nonpaper storage of information.

(9)       "Person". -  Any individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency, or other entity.

(10)     "Personal information". -  An individual's first name or first initial and last name in combination with identifying information as defined in G.S. 14-113.20(b) or any identifying information, when not in connection with the individual's first name or first initial and last name, that if compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised.

(11)     "Records". - Any material on which written, drawn, spoken, visual, or electromagnetic information is recorded or preserved, regardless of physical form or characteristics. "Records" does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.

(12)     "Security breach". - Unauthorized acquisition of records or data that compromises the security, or confidentiality of personal information. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure.

(13)     "Security freeze". - Notice, at the request of the consumer and subject to certain exceptions, that prohibits the consumer reporting agency from releasing all or any part of the consumer's credit report or any information derived from it without the express authorization of the consumer.

"§ 75-62.  Social security number protection.

(a)       Except as provided in subsection (b) of this section, a business may not do any of the following:

(1)       Intentionally communicate or otherwise make available to the general public an individual's social security number.

(2)       Print an individual's social security number on any card required for the individual to access products or services provided by the person or entity.

(3)       Require an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted.

(4)       Require an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site.

(5)       Print an individual's social security number on any materials that are mailed to the individual, unless State or federal law requires the social security number to be on the document to be mailed.

(6)       Sell, lease, loan, trade, rent, or otherwise disclose an individual's social security number to a third party for any purpose without written consent to the disclosure from the individual.

(b)       Subsection (a) of this section shall not apply in the following instances:

(1)       Subsection (a)(5) of this section shall not apply when a social security number is included in an application or in documents related to an enrollment process, or to establish an account, contract, or policy. A social security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

(2)       Subsection (a)(6) of this section shall not apply:

a.         To the collection, use, or release of a social security number for internal verification or administrative purposes provided that no consideration is exchanged between the person and the third party for the collection, use, or release of the social security number.

b.         To the collection, use, or release of a social security number to investigate or prevent fraud or to conduct background checks.

c.         To a business acting pursuant to a court order, warrant, subpoena, or when otherwise required by law.

d.         To a business providing the social security number to a federal, State, or local government entity, including a law enforcement agency, or court, or their agents or assigns.

(c)       A business covered by this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this Article are implemented on or before the dates specified in this section.

(d)       A violation of this section is a violation of G.S. 75-1.1. An individual may bring a civil action against a business that violates this section and may recover pursuant to G.S. 75-16 or may recover statutory damages of one thousand dollars ($1,000), whichever is greater, plus reasonable court costs and attorneys' fees.

(e)       This section becomes effective July 1, 2006.

"§ 75-63.  Security freeze.

(a)       If a consumer elects to place a security freeze on his or her credit report, a credit reporting agency may not release the consumer's credit report or information to a third party without prior express authorization from the consumer. This subsection does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the consumer's credit report.

(b)       A consumer may elect to place a "security freeze" on his or her credit report by making a request directly to a consumer reporting agency by any of the following methods:

(1)       By certified mail.

(2)       By telephone by providing certain personal identification.

(3)       Through a secure electronic mail connection if such connection is made available by the agency.

(c)       A consumer reporting agency shall place a security freeze on a consumer's credit report no later than five business days after receiving a written or telephone request from the consumer or three business days after receiving a secure electronic mail request.

(d)       The consumer reporting agency shall send a written confirmation of the security freeze to the consumer within five business days of placing the freeze and at the same time shall provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorization for the release of his or her credit for a specific party or period of time.

(e)       If the consumer wishes to allow his or her credit report to be accessed for a specific party or period of time while a freeze is in place, he or she shall contact the consumer reporting agency via telephone, certified mail, or secure electronic mail, request that the freeze be temporarily lifted, and provide all of the following:

(1)       Proper identification.

(2)       The unique personal identification number or password provided by the consumer reporting agency pursuant to subsection (d) of this section.

(3)       The proper information regarding the third party who is to receive the credit report or the time period for which the report shall be available to users of the credit report.

(f)        A consumer reporting agency that receives a request from a consumer to temporarily lift a freeze on a credit report pursuant to subsection (e) of this section shall comply with the request no later than three business days after receiving the request.

(g)       A consumer reporting agency may develop procedures involving the use of telephone, fax, or, upon the consent of the consumer in the manner required by the Electronic Signatures in Global and National Commerce Act (e-Sign) for legally required notices, by the Internet, e-mail, or other electronic media to receive and process a request from a consumer to temporarily lift a freeze on a credit report pursuant to subsection (e) of this section in an expedited manner.

(h)       A consumer reporting agency shall remove or temporarily lift a freeze placed on a consumer's credit report only in the following cases:

(1)       Upon the consumer's request, pursuant to subsection (e) of this section.

(2)       If the consumer's credit report was frozen due to a material misrepresentation of fact by the consumer. If a consumer reporting agency intends to remove a freeze upon a consumer's credit report pursuant to this subsection, the consumer reporting agency shall notify the consumer in writing five business days prior to removing the freeze on the consumer's credit report.

(i)        If a third party requests access to a consumer credit report on which a security freeze is in effect, and this request is in connection with an application for credit or any other use, and the consumer does not allow his or her credit report to be accessed for that specific party or period of time, the third party may treat the application as incomplete.

(j)        If a third party requests access to a consumer credit report on which a security freeze is in effect for the purpose of receiving, extending, or otherwise utilizing the credit therein, and not for the sole purpose of account review, the consumer credit reporting agency must notify the consumer that an attempt has been made to access the credit report and by whom.

(k)       A security freeze shall remain in place until the consumer requests that the security freeze be removed. A consumer reporting agency shall remove a security freeze within three business days of receiving a request for removal from the consumer, who provides both of the following:

(1)       Proper identification, and

(2)       The unique personal identification number or password provided by the consumer reporting agency pursuant to subsection (d) of this section.

(l)        A consumer reporting agency shall require proper identification of the person making a request to place or remove a security freeze.

(m)      A consumer reporting agency may not suggest or otherwise state or imply to a third party that the consumer's security freeze reflects a negative credit score, history, report, or rating.

(n)       A consumer may not be charged for any security freeze services, including, but not limited to, the placement or lifting of a security freeze. A consumer, however, can be charged no more than five dollars ($5.00) only in the following discrete circumstances:

(1)       If the consumer fails to retain the original personal identification number provided by the agency, the consumer may not be charged for a one-time reissue of the charge no more than five dollars ($5.00) for subsequent instances of loss of the personal identification number.

(2)       The consumer may be charged no more than five dollars ($5.00) for the third and each subsequent time the consumer requests a security freeze on his or her credit report be temporarily lifted pursuant to subsection (e) of this section within a calendar year.

(3)       For consumers that remove a security freeze pursuant to subsection (k) of this section, the consumer may be charged no more than five dollars ($5.00) for the third and each subsequent time the consumer requests a security freeze be placed on his or her credit report be placed pursuant to subsection (b) within a calendar year.

(o)       At any time that a consumer is required to receive a summary of rights required under section 609 of the federal Fair Credit Reporting Act, the following notice shall be included:

"North Carolina Consumers Have the Right to Obtain a Security Freeze.

You may obtain a security freeze on your credit report at no charge to protect your privacy and ensure that credit is not granted in your name without your knowledge. You have a right to place a "security freeze" on your credit report pursuant to North Carolina law. The security freeze will prohibit a consumer reporting agency from releasing any information in your credit report without your express authorization or approval.

The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. When you place a security freeze on your credit report, within five business days you will be provided a personal identification number or password to use if you choose to remove the freeze on your credit report or to temporarily authorize the release of your credit report for a specific party, parties, or period of time after the freeze is in place. To provide that authorization, you must contact the consumer reporting agency and provide all of the following:

(1)       The unique personal identification number or password provided by the consumer reporting agency.

(2)       Proper identification to verify your identity.

(3)       Proper information regarding the third party or parties who are to receive the credit report or the period of time for which the report shall be available to users of the credit report.

A consumer reporting agency that receives a request from a consumer to lift temporarily a freeze on a credit report shall comply with the request no later than three business days after receiving the request. A security freeze does not apply to circumstances where you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control, or similar activities.

If you are actively seeking credit, you should understand that the procedures involved in lifting a security freeze may slow your own applications for credit. You should plan ahead and lift a freeze - either for a period of time if you are shopping around or specifically for a certain creditor - a few days before actually applying for new credit.

If you lift your freeze more than two times in a calendar year, you may be charged no more than five dollars ($5.00) for each subsequent time you wish to impose a security freeze on your credit report. You have a right to bring a civil action against someone who violates your rights under the credit reporting laws. The action can be brought against a consumer reporting agency or a user of your credit report."

(p)       The provisions of this section do not apply to the use of a consumer credit report by any of the following:

(1)       A person, or the person's subsidiary, affiliate, agent, or assignee with which the consumer has or, prior to assignment, had an account, contract, or debtor-creditor relationship for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or debt.

(2)       A subsidiary, affiliate, agent, assignee, or prospective assignee of a person to whom access has been granted under subsection (e) of this section for purposes of facilitating the extension of credit or other permissible use.

(3)       Any person acting pursuant to a court order, warrant, or subpoena.

(4)       A State or local agency which administers a program for establishing and enforcing child support obligations.

(5)       The State or its agents or assigns acting to investigate fraud or acting to investigate or collect delinquent taxes or unpaid court orders or to fulfill any of its other statutory responsibilities.

(6)       A person for the purposes of prescreening as defined by the federal Fair Credit Reporting Act.

(7)       Any person or entity administering a credit file monitoring subscription service to which the consumer has subscribed.

(8)       Any person or entity for the purpose of providing a consumer with a copy of his or her credit report upon the consumer's request.

(q)       If a consumer reporting agency erroneously, whether by accident or design, violates the security freeze by releasing credit information that has been placed under a security freeze or violates any other provision in this section, the affected consumer is entitled to:

(1)       Notification within five business days of the release of the information, including specificity as to the information released and the third-party recipient of the information.

(2)       File a civil action pursuant to G.S. 75-16. In addition to the remedies therein, a consumer may recover statutory damages of one thousand dollars ($1,000) per violation and seek injunctive relief to prevent or restrain further.

"§ 75-64.  Protection for credit header information.

(a)       A consumer reporting agency may furnish a consumer's credit header information only to those who have a permissible purpose to obtain the consumer's consumer report under section 604 of the federal Fair Credit Reporting Act, as codified in 15 U.S.C.§ 1681(b), or in the following circumstances:

(1)       When acting pursuant to a court order, warrant, or subpoena or when otherwise required by law.

(2)       To a federal, State, or local government entity, including a law enforcement agency, or court, or their agents or assigns.

(3)       To investigate or prevent fraud or to conduct background checks.

(4)       To financial institutions for compliance with Section 326 of the USA PATRIOT Act.

(b)       A violation of this section is a violation of G.S. 75-1.1. An individual may bring a civil action against a business that violates this section and may recover pursuant to G.S. 75-16 or may recover statutory damages of one thousand dollars ($1,000), which ever is greater, plus reasonable court costs and attorneys' fees.

"§ 75-65.  Destruction of personal information records.

(a)       Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take all reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.

(b)       The reasonable measures must include, but may not be limited to:

(1)       Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed;

(2)       Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other non-paper media containing personal information so that the information cannot practicably be read or reconstructed;

(3)       Implementing and monitoring compliance with policies and procedures that require reasonable steps to be taken to ensure that no unauthorized person will have access to the personal information for the period between the discarding of the record and the record's destruction.

(4)       Comprehensively describing and classifying procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity, including corporate and employee handbooks and similar corporate documents.

(c)       A business may after due diligence enter into a written contract, with and monitor compliance by, another party engaged in the business of record destruction to destroy personal information in a manner consistent with this section. Due diligence should ordinarily include, but may not be limited to, one or more of the following:

(1)       Reviewing an independent audit of the disposal business's operations or its compliance with this statute or its equivalent.

(2)       Obtaining information about the disposal business from several references or other reliable sources and requiring that the disposal business be certified by a recognized trade association or similar third party with a reputation for high standards of quality review.

(3)       Reviewing and evaluating the disposal business's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal business.

(d)       A disposal business that conducts business in North Carolina or disposes of personal information of residents of North Carolina must take all reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of personal information during or after the collection and transportation and disposing of such information.

(e)       This section does not apply to any bank or financial institution that is subject to the privacy and security provision of the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6801 et seq., as amended, or any health insurer that is subject to the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996.

(f)        A violation of this section is a violation of G.S. 75-1.1. An individual may bring a civil action against a business that violates this section and may recover pursuant to G.S. 75-16 or may recover statutory damages of one thousand dollars ($1,000), whichever is greater, plus reasonable court costs and attorneys' fees.

"§ 75-66.  Protection from security breaches.

(a)       Except as provided in subsection (b) of this section, any business that maintains or otherwise possesses personal information of residents of North Carolina or any business that conducts business in North Carolina that maintains or otherwise possesses personal information of consumers in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (c) of this section, or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

(b)       A business shall not be required to disclose a technical security breach that does not seem reasonably likely to subject consumers to a risk of criminal activity.

(c)       The notice required by this section may be delayed if a law enforcement agency determines that notification may impede a criminal investigation. The notice required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

(d)       For purposes of this section, notice to affected persons may be provided by one of the following methods:

(1)       Written notice.

(2)       Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing set forth in section 7001 of Title 15 of the United States Code.

(3)       Substitute notice, if the data collector demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000) or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of all the following:

a.         E-mail notice when the data collector has an e-mail address for the subject persons.

b.         Conspicuous posting of the notice on the data collector's Web site page, if one is maintained.

c.         Notification to major statewide media.

(e)       Any waiver of the provisions of this Article is contrary to public policy, and is void and unenforceable.

(f)        A violation of this section is a violation of G.S. 75-1.1. An individual may bring a civil action against a business that violates this section and may recover pursuant to G.S. 75-16 or may recover statutory damages of one thousand dollars ($1,000), whichever is greater, plus reasonable court costs and attorneys' fees."

SECTION 2.  G.S. 14-113.21 reads as rewritten:

"§ 14-113.21.  Venue of offenses.

In any criminal proceeding brought under G.S. 14-113.20, the crime is considered to be committed in any county in which the county where the victim resides, where the perpetrator resides, where any part of the financial identity fraud took place, or in any other county instrumental to the completion of the offense, regardless of whether the defendant was ever actually present in that county."

SECTION 3.  Article 19C of Chapter 14 of the General Statutes is amended by adding a new section to read:

"§ 14-113.21A. Investigation of offenses.

(a)       A person who has learned or reasonably suspects that he or she has been the victim of identity theft may contact the local law enforcement agency that has jurisdiction over his or her actual residence. Notwithstanding the fact that jurisdiction may lie elsewhere for investigation and prosecution of a crime of identity theft, the local law enforcement agency may take the complaint, issue an incident report, and provide the complainant with a copy of the report and may refer the report to a law enforcement agency in that different jurisdiction.

(b)       Nothing in this section interferes with the discretion of a local law enforcement agency to allocate resources for investigations of crimes. A complaint filed or report issued under this section is not required to be counted as an open case for purposes such as compiling open case statistics."

SECTION 4.  Chapter 132 is amended by adding a new section to read:

"§ 132-1.8.  Social security numbers and other personal identifying information.

(a)       The General Assembly finds the following:

(1)       The social security number can be used as a tool to perpetuate fraud against a person and to acquire sensitive personal, financial, medical, and familial information, the release of which could cause great financial or personal harm to an individual. While the social security number was intended to be used solely for the administration of the federal Social Security System, over time this unique numeric identifier has been used extensively for identity verification purposes and other legitimate consensual purposes.

(2)       Although there are legitimate reasons for State and local government agencies to collect social security numbers and other personal identifying information from individuals, government should collect the information only for legitimate purposes or when required by law.

(3)       When State and local government agencies possess social security numbers or other personal identifying information, the governments should minimize the instances this information is disseminated either internally within government or externally with the general public.

(b)       Except as provided in subsection (c) of this section, any State or local government agency, or any agent, employee, or contractor of a government agency, shall not do any of the following:

(1)       Collect a person's social security number unless authorized by law to do so or unless the collection of the social security number is otherwise imperative for the performance of that agency's duties and responsibilities as prescribed by law. Social security numbers collected by an agency must be relevant to the purpose for which collected and shall not be collected until and unless the need for social security numbers has been clearly documented.

(2)       Fail, when collecting a person's social security number, to segregate that number on a separate page from the rest of the record, or as otherwise appropriate, in order that the social security number can be more easily redacted pursuant to a public records request.

(3)       Fail, when collecting a person's social security number, to provide, at the time of or prior to the actual collection of the social security number by that agency, that person upon request, with a statement of the purpose or purposes for which the social security number is being collected and used.

(4)       Use the social security number for any purpose other than the purpose stated.

(5)       Intentionally communicate or otherwise make available to the general public a person's social security number or other identifying information. "Identifying information," as used in this section, shall have the same meaning as in G.S. 14-113.20(b).

(6)       Print an individual's social security number on any card required for the individual to access government services.

(7)       Require an individual to transmit his or her social security number overt the Internet, unless the connection is secure or the social security number is encrypted.

(8)       Require an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet Web site.

(9)       Print an individual's social security number on any materials that are mailed to the individual, unless State or federal law required that the social security number be on the document to be mailed.

(10)     Sell, lease, loan, trade, rent, or otherwise disclose an individual's social security number to a third party for any purpose without written consent to the disclosure from the individual.

(c)       Subsection (b) of this section does not apply in the following circumstances:

(1)       Social security numbers and identifying information may be disclosed to another governmental entity or its agents, employees, or contractors if disclosure is necessary for the receiving entity to perform its duties and responsibilities. The receiving governmental entity and its agents, employees, and contractors shall maintain the confidential and exempt status of such numbers.

(2)       Social security number or other identifying information may be disclosed pursuant to a court order, warrant, or subpoena.

(d)       No person preparing or filing a document to be recorded in the official records by the register of deeds may include any person's social security number or other identifying information in that document, unless otherwise expressly required by law. If a social security number or other identifying information is or has been included in a document presented to the register of deeds for recording in the official records of the county before, on, or after the effective date of this section, it may be made available as part of the official record available for public inspection and copying.

(e)       Any person or the person's attorney or legal guardian, has the right to request that a register of deeds remove, from an image or copy of an official record placed on a register of deeds' publicly available Internet website or a publicly available Internet website used by a register of deeds to display public records or otherwise made electronically available to the general public by such register, his or her social security number or other identifying information contained in that official record. The request must be made in writing, legibly signed by the requester, and delivered by mail, facsimile, or electronic transmission, or delivered in person to the register of deeds. The request must specify the identification page number that contains the social security number or other identifying information to be redacted. The register of deeds shall have no duty to inquire beyond the written request to verify the identity of a person requesting redaction. No fee will be charged for the redaction of a social security number or other identifying information pursuant to such request.

(f)        A register of deeds shall immediately and conspicuously post signs throughout his or her offices for public viewing and shall immediately and conspicuously post a notice on any Internet website or remote electronic site made available by the register of deeds and used for the ordering or display of official records or images or copies of official records a notice, stating, in substantially similar form, the following:

(1)       Any person preparing or filing a document for recordation in the official records may not include a social security number or other identifying information as defined in G.S. 14-113.20(b) in such document, unless expressly required by law.

(2)       Any person has a right to request a register of deeds to remove, from an image or copy of an official record placed on a register of deeds' publicly available Internet website or on a publicly available Internet website used by a register of deeds to display public records or otherwise made electronically available to the general public, any social security number or other identifying information as defined in G.S. 14-113.20(b) contained in an official record. Such request must be made in writing and delivered by mail, facsimile, or electronic transmission, or delivered in person, to the register of deeds. The request must specify the identification page number that contains the social security number or other identifying information to be redacted. No fee will be charged for the redaction of a social security number or other identifying information pursuant to such a request.

(g)       Any affected person may petition the superior court for an order directing compliance with this section.

(h)       This section shall take effect on October 1, 2005, except that subsections (b)(6) and (b)(9) of this section shall take effect July 1,2007."

SECTION 5.  Chapter 120 of the General Statutes is amended by adding a new Article to read:

"Article 30.

"Miscellaneous.

"§ 120-61. Report by State agencies to the General Assembly on ways to reduce incidence of identity theft.

Agencies of the State of North Carolina shall evaluate and report to the General Assembly about their efforts to reduce the dissemination of personal identifying information, as defined in G.S. 14-113.20(b). The evaluation shall include the review of public forms, the use of random personal identification numbers, restriction of access to personal identifying information, and reduction of use of personal identifying information when it is not necessary. Special attention shall be given to the use, collection, and dissemination of social security numbers. If the collection of a social security number is found to be unwarranted, the State agency shall immediately discontinue the collection of social security numbers for that purpose."

SECTION 6.  G.S. 14-113.20 reads as rewritten:

"§ 14-113.20.  Financial identity fraudIdentity theft.

(a)       A person who knowingly obtains, possesses, or uses identifying information of another person, living or dead, with the intent to fraudulently represent that the person is the other person for the purposes of making financial or credit transactions in the other person's name, to obtain anything of value, benefit, or advantage, or for the purpose of avoiding legal consequences is guilty of a felony punishable as provided in G.S. 14-113.22(a).

(b)       The term "identifying information" as used in this Article includes the following:

(1)       Social security numbers.

(2)       Drivers license license, State identification card, or passport numbers.

(3)       Checking account numbers.

(4)       Savings account numbers.

(5)       Credit card numbers.

(6)       Debit card numbers.

(7)       Personal Identification (PIN) Code as defined in G.S. 14-113.8(6).

(8)       Electronic identification numbers.numbers, names, or other identification.

(9)       Digital signatures.

(10)     Any other numbers or information that can be used to access a person's financial resources.

(11)     Biometric data.

(12)     Fingerprints.

(13)     Passwords.

(14)     Parent's legal surname prior to marriage.

(c)       It shall not be a violation under this Article for a person to do any of the following:

(1)       Lawfully obtain credit information in the course of a bona fide consumer or commercial transaction.

(2)       Lawfully exercise, in good faith, a security interest or a right of offset by a creditor or financial institution.

(3)       Lawfully comply, in good faith, with any warrant, court order, levy, garnishment, attachment, or other judicial or administrative order, decree, or directive, when any party is required to do so."

SECTION 7. The Revisor of Statutes shall make the following technical and conforming corrections:

(1)       Rename Article 19C of Chapter 14 of the General Statutes from "Financial Identity Fraud" to "Identity Theft."

(2)       Replace the phrase "financial identity fraud" with the phrase "identity theft" wherever the terms appear throughout Article 19C of Chapter 14 of the General Statutes.

SECTION 8.  G.S. 15A-147 reads as rewritten:

"§ 15A-147.  Expunction of records when charges are dismissed or there are findings of not guilty as a result of identity fraud.theft.

(a)       If any person is named in a charge for an infraction or a crime, either a misdemeanor or a felony, as a result of another person using the identifying information of the named person to commit an infraction or crime and the charge against the named person is dismissed, a finding of not guilty is entered, or the conviction is set aside, the named person may apply by petition or written motion to the court where the charge was last pending on a form approved by the Administrative Office of the Courts supplied by the clerk of court for an order to expunge from all official records any entries relating to the person's apprehension, charge, or trial. The court, after notice to the district attorney, shall hold a hearing on the motion or petition and, upon finding that the person's identity was used without permission and the charges were dismissed or the person was found not guilty, the court shall order the expunction."

SECTION 9.  G.S. 1-539.2C reads as rewritten:

"§ 1-539.2C.  Damages for identity fraud.theft.

(a)       Any person whose property or person is injured by reason of an act made unlawful by Article 19C of Chapter 14 of the General Statutes may sue for civil damages. Damages may be in an amount of up to five thousand dollars ($5,000) but no less than five hundred dollars ($500.00) for each incident, or three times the amount of actual damages, whichever amount is greater. A person seeking damages as set forth in this section may also institute a civil action to enjoin and restrain future acts that would constitute a violation of this section. The court, in an action brought under this section, may award reasonable attorneys' fees to the prevailing party."

SECTION 10.  Severability. - The provisions of this act are severable. If any phrase, clause, sentence, provision, or section is declared to be invalid or preempted by federal law or regulation, the validity of the remainder of this act shall not be affected thereby.

SECTION 11.  Effective Date. - This act becomes effective December 1, 2005, and shall be applicable to offenses occurring, and to actions arising, on or after that date.