§ 75-64. Destruction of personal information records.

§ 75‑64.  Destruction ofpersonal information records.

(a)        Any business thatconducts business in North Carolina and any business that maintains orotherwise possesses personal information of a resident of North Carolina musttake reasonable measures to protect against unauthorized access to or use ofthe information in connection with or after its disposal.

(b)        The reasonablemeasures must include:

(1)        Implementing andmonitoring compliance with policies and procedures that require the burning,pulverizing, or shredding of papers containing personal information so thatinformation cannot be practicably read or reconstructed.

(2)        Implementing andmonitoring compliance with policies and procedures that require the destructionor erasure of electronic media and other nonpaper media containing personalinformation so that the information cannot practicably be read orreconstructed.

(3)        Describingprocedures relating to the adequate destruction or proper disposal of personalrecords as official policy in the writings of the business entity.

(c)        A business may,after due diligence, enter into a written contract with, and monitor complianceby, another party engaged in the business of record destruction to destroypersonal information in a manner consistent with this section. Due diligenceshould ordinarily include one or more of the following:

(1)        Reviewing anindependent audit of the disposal business's operations or its compliance withthis statute or its equivalent.

(2)        Obtaininginformation about the disposal business from several references or otherreliable sources and requiring that the disposal business be certified by arecognized trade association or similar third party with a reputation for highstandards of quality review.

(3)        Reviewing andevaluating the disposal business's information security policies or proceduresor taking other appropriate measures to determine the competency and integrityof the disposal business.

(d)        A disposal businessthat conducts business in North Carolina or disposes of personal information ofresidents of North Carolina must take all reasonable measures to dispose ofrecords containing personal information by implementing and monitoringcompliance with policies and procedures that protect against unauthorizedaccess to or use of personal information during or after the collection andtransportation and disposing of such information.

(e)        This section doesnot apply to any of the following:

(1)        Any bank orfinancial institution that is subject to and in compliance with the privacy andsecurity provision of the Gramm Leach Bliley Act, 15 U.S.C. § 6801, et seq., asamended.

(2)        Any health insureror health care facility that is subject to and in compliance with the standardsfor privacy of individually identifiable health information and the securitystandards for the protection of electronic health information of the HealthInsurance Portability and Accountability Act of 1996.

(3)        Any consumerreporting agency that is subject to and in compliance with the Federal CreditReporting Act, 15 U.S.C. § 1681, et seq., as amended.

(f)         A violation ofthis section is a violation of G.S. 75‑1.1, but any damages assessedagainst a business because of the acts or omissions of its nonmanagerialemployees shall not be trebled as provided in G.S. 75‑16 unless thebusiness was negligent in the training, supervision, or monitoring of thoseemployees. No private right of action may be brought by an individual for aviolation of this section unless such individual is injured as a result of theviolation. (2005‑414,s. 1.)