Connecticut Legislature Enacts Public Act Concerning The Protection Of Personal Information And Social Security Numbers

Under "An Act Concerning the Confidentiality of Social Security Numbers" (Public Act No. 08-167), which goes into effect October 1, 2008, Connecticut employers will be required to comply with specific guidelines to protect personal information and Social Security numbers in their possession. The Act, which is not expressly limited to employers or businesses located in Connecticut or the personal information of Connecticut residents or employees, provides that "any person" in possession of personal information of "another person" is required to safeguard such information from misuse by a third party and "shall destroy, erase or make unreadable such data, computer files and documents prior to disposal."

"Personal information" is defined in the Act as "information capable of being associated with a particular individual through one or more identifiers, including, but not limited to a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, or health insurance identification number . . . ." (Emphasis added.) Notably, any information that is lawfully made available to the general public from federal, state or local government records or widely distributed media is excluded from the definition of "personal information."

In addition, employers who collect Social Security numbers will be required under the Act to create a "privacy protection policy" which must be published or publicly displayed. Such a policy must: (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers and (3) limit access to Social Security numbers. According to the Act, an employer can accomplish compliance with the public display requirement by posting the policy on an Internet web page.

While the Act does not provide a private right of action for any person aggrieved under the statute, anyone who intentionally violates the statute is subject to a $500 civil penalty for each violation, not to exceed $500,000 for any "single event." However, the term "single event" is not defined in the Act.

In preparation for compliance with the Act, employers should update or create privacy policies and procedures that comply with the terms of the Act. Specifically, employers can prepare for compliance by coordinating with their Information Technology departments to ensure that they are equipped to comply with the Act's requirements to safeguard and destroy, erase or encrypt files and documents containing personal information prior to disposal.

Lastly, employers should note that the Act's requirements are in addition to the requirements set forth in Connecticut General Statutes Section 42-470, which already prohibits employers from publicly posting or displaying an individual's Social Security number and limits the manner in which an employer can require an employee to transmit or use their Social Security number over the Internet.

* * *

If you have any questions or comments, please feel free to contact Peter M. Stein in the Firm's Stamford, Connecticut, office at (203) 326-7420 or [email protected]. Jaclyn Leung, an Associate in the Labor and Employment practice in the Stamford office, assisted in the preparation of this Alert.

Resources