Can I store personal information about my customers in North Carolina? What are the requirements?

Yes, you can store personal information about your customers in North Carolina, but you must comply with certain requirements.

Storing Personally Identifiable Information

According to NCGS 132-1.10, no agency of the State or its political subdivisions, or any agent or employee of a government agency, shall collect a social security number from an individual unless authorized by law to do so or unless the collection of the social security number is otherwise imperative for the performance of that agency’s duties and responsibilities as prescribed by law. Social security numbers collected by an agency must be relevant to the purpose for which collected and shall not be collected until and unless the need for social security numbers has been clearly documented. Additionally, social security numbers or other identifying information shall be confidential and not be a public record under this Chapter.

Federal Privacy Disclosure Notice Requirements

If you are an insurance institution or agent, you must provide a clear and conspicuous notice to all applicants and policyholders, in written or electronic form, of your policies and practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502 of Public Law 106-102, including the categories of information that may be disclosed. You must also disclose your policies and practices with respect to disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution, and protecting the nonpublic personal information of consumers. These disclosures shall be made in accordance with the regulations prescribed under section 504 of Public Law 106-102 ^[2.1].

Access to Recorded Personal Information

If any individual submits a written request to an insurance institution, agent, or insurance-support organization for access to recorded personal information about the individual that is reasonably described by the individual and reasonably locatable and retrievable by the insurance institution, agent, or insurance-support organization, the insurance institution, agent, or insurance-support organization shall provide access to the information within 30 business days from the date such request is received. The institution must inform the individual of the nature and substance of such recorded personal information in writing, by telephone, or by other oral communication, whichever the insurance institution, agent, or insurance-support organization prefers. The institution must also permit the individual to see and copy, in person, such recorded personal information pertaining to him or to obtain a copy of such recorded personal information by mail, whichever the individual prefers, unless such recorded personal information is in coded form, in which case an accurate translation in plain language shall be provided in writing. Additionally, the institution must disclose to the individual the identity, if recorded, of those persons to whom the insurance institution, agent, or insurance-support organization has disclosed such personal information within two years prior to such request, and if the identity is not recorded, the names of those insurance institutions, agents, insurance-support organizations or other persons to whom such information is normally disclosed. Finally, the institution must provide the individual with a summary of the procedures by which he may request correction, amendment, or deletion of recorded personal information ^[2.2].

Privacy Notice and Disclosure Requirement Exceptions

Under G.S. 58-39-25 and G.S. 58-39-26, an insurance institution or agent may provide a joint notice from the insurance institution or agent and one or more of its affiliates or other financial institutions, as defined in the notice, as long as the notice is accurate with respect to the insurance institution or agent and the other institutions. An insurance institution or agent may satisfy the notice requirements of G.S. 58-39-25 and G.S. 58-39-26 by providing a single notice if two or more applicants or policyholders jointly obtain or apply for an insurance product. An insurance institution or agent may satisfy the notice requirements of G.S. 58-39-25 and G.S. 58-39-26 through the use of separate or combined notices. An insurance institution or agent is not required to provide the notices required by G.S. 58-39-25 and G.S. 58-39-26 to any applicant or policyholder whose last known address, according to the insurance institution’s or agent’s records is deemed invalid. The applicant’s or policyholder’s last known address shall be deemed invalid if mail sent to that address has been returned by the postal authorities as undeliverable and if subsequent reasonable attempts to obtain a current valid address for the applicant or policyholder have been unsuccessful. An insurance institution or agent is also not required to provide the notices required by G.S. 58-39-25 and G.S. 58-39-26 to any policyholder whose policy is lapsed, expired, or otherwise inactive or dormant under the insurance institution’s business practices, and the insurance institution has not communicated with the policyholder about the relationship for a period of 12 consecutive months, other than annual privacy notices, material required by law or regulation, or promotional materials ^[2.3].

In summary, you may store personal information about your customers in North Carolina, but you must ensure that you are authorized by law to collect social security numbers or other identifying information, and that the collection of such information is imperative for the performance of your duties and responsibilities as prescribed by law. Additionally, you must ensure that the social security numbers or other identifying information collected are relevant to the purpose for which they are collected, and that they are kept confidential and not disclosed to the public. If you are an insurance institution or agent, you must also provide a clear and conspicuous notice to all applicants and policyholders of your policies and practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated third parties, and disclose your policies and practices with respect to disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution, and protecting the nonpublic personal information of consumers. Finally, you must comply with the access to recorded personal information requirements and privacy notice and disclosure requirement exceptions ^{[2.1][2.2][2.3]}.

Source(s):

• [2.1] Federal privacy disclosure notice requirements.
• [2.2] Access to recorded personal information.
• [2.3] Privacy notice and disclosure requirement exceptions.

Jurisdiction

North Carolina

• Privacy