The N.C. Identity Theft Protection Act in the Age of Phishing

Phishing and ransomware attacks on businesses and enterprises remain on the rise. In this environment, businesses need to understand how the North Carolina Identity Theft Protection Act impacts the requirements and obligations of employers to protect their employees’ and clients’ personal information in electronic files. The ITPA (N.C.G.S.A. § 75-60, et seq.) requires businesses to take active steps in safeguarding this information and to maintain and destroy employee records in secure and effective ways.

Common Types of Phishing Scams and Ransomware Attacks and How They Impact Employees’ Personal Information

Cybercriminals have begun targeting human resources departments by infecting computers with ransomware through phishing scams. Some of the most popular methods of phishing include:

• Sending an email impersonating a legitimate person or company that includes a link to a website. Typically the website will appear to be legitimate, being structured similarly to the legitimate company’s login page. The user will then be asked to enter account information like username and password. Once entered, the scammer will have the user’s login information and will be able to use the information to access the real account;^[1]
• Sending an email with an attachment, typically masked as a resume from a job seeker or an important file from a client, that once downloaded spreads the ransomware throughout the business computer system. The ransomware then crashes the system and encrypts the files in the network, making them impossible to access. This infection is typically paired with a demand for payment to regain access to the files (usually in Bitcoins);^[2] and
• Targeting an Internet server so that a certain website will redirect the user to a malicious website where personal information and login credentials can be stolen.^[3]

Relation Between Ransomware/Phishing Scams and North Carolina Law

The ITPA requires that businesses treat human resources files, like personnel records, with particular care because they typically contain an employee’s social security number and other personal information. Such information could include the employee’s name matched with his or her driver’s license number, bank account and credit card numbers, digital signatures and passwords, biometric data and fingerprints, and familial information like a parent’s legal surname prior to marriage. The ITPA requires that businesses take reasonable measures to protect against unauthorized access to or use of this personal information.

Because phishing scams and ransomware infections give cybercriminals unauthorized access to personnel files, it is important for businesses to take active steps in improving cybersecurity and reducing the business’s exposure to phishing and ransomware risks to avoid violating the ITPA.

How to Protect Files from Phishing Scams and Ransomware Attacks

Employers should tale a variety of steps to protect themselves – and their employees – from both the effects of these types of scams and the potential legal repercussions under the ITPA. Examples of such steps include:   

• Train employees: Perhaps the most effective and efficient method employers can utilize to avoid ransomware infection is to ensure that employees understand phishing risks and have the ability to detect and avoid opening malicious links or downloads.^[4] Additionally, employees should be trained to always check if they are on a secured website before they enter login credentials or other sensitive information like transmission of social security numbers or other personal information;^[5] 
• Back up files: Businesses should ensure that confidential, sensitive or important files like employee personnel records are backed up on a network or device that is not connected to the business’s primary computer network in case those files become the subject of a ransomware attack;^[6] and
• Maintain cybersecurity software: It is important to have up-to-date antivirus and pop-up blocker software and to consistently check for and install software updates, including running regular testing of the security systems and electronic records.^[7] Additionally, many web browsers offer security measures including notifying the user when a website is not secure and having default pop-up blockers. IT professionals should ensure that any browser being used on the system has sufficient security features and those features are utilized by employees.

What to do if You Have Been Subjected to a Phishing or Ransomware Attack

The ITPA requires that businesses notify affected persons of a security breach following discovery of the breach. This notification must occur “without reasonable delay” and must include:

• A general description of the incident;
• A description of the type of personal information that was the subject of unauthorized access;
• A general description of acts the business is taking to protect the information from further unauthorized access;
• A telephone number employees may call for further information and assistance;
• Advice that directs the employee to remain vigilant by reviewing account statements and monitoring free credit reports; and
• The toll-free numbers and addresses for the major consumer reporting agencies, the Federal Trade Commission and the North Carolina Attorney General’s Office.

For more information regarding the ITPA or how to respond to issues arising from phishing or ransomware attacks, please contact a member of Robinson Bradshaw’s Employment and Labor Practice Group.

This article was prepared with the assistance of Devon Sherrell, a rising 2L at Emory University School of Law.

[1] See David Bisson, 6 Common Phishing Attacks and How to Protect Against Them, Tripwire: The State of Security (June 5, 2016), https://www.tripwire.com/state-of-security/security-awareness/6-common-phishing-attacks-and-how-to-protect-against-them/.

[2] See Hackers Are Preying on Human Resources Departments, Arctic Wolf (July 6, 2016), https://www.arcticwolf.com/blog/hackers-are-preying-on-human-resources-departments/.

[3] Bisson, supra note 1.

[4] Arctic Wolf, supra note 2.

[5] Bisson, supra note 1.

[6] Ransomware, Microsoft: Malware Protection Center, https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx (last visited May 19, 2017).

[7] Microsoft, supra note 6.