State Based Social Security Number Prohibitions and Your Company

Privacy rights are an important issue to incoming Democratic leaders who are expected to propose a number of new consumer protections. One area poised to receive a lot of attention will be how companies use and disclose Social Security numbers. Social Security numbers are frequently used by businesses in their communications with customers and employees, to administer benefits, and provide services.[1] However, the Social Security number is a valuable commodity among identity thieves, allowing the thief to masquerade as someone stealing valuable goods and services. Over the last four years (in the absence of any forward momentum under a Republican controlled Congress) a number of States have passed laws placing severe restrictions on the use of Social Security numbers, often imposing specific security safeguards that must be implemented based on a company's risk analysis and use of Social Security numbers. Given a new privacy rights focused Congress, it is especially important that your Organization review how you use and protect Social Security numbers.

Last fall, New York quietly enacted the "Consumer Communication Records Privacy Act".[2] Unlike, many other States[3] whose laws are already enforce, New York's law takes effect on January 1, 2008. The Consumer Communication Privacy Act (largely tracks other similar legislation either pending or enacted in other States):

  • Expressly limits the use and dissemination of social security numbers;
  • Prohibits the intentional communication or to otherwise make available to the general public an individual's social security number;
  • The printing of an individual's social security number on mailings or on any card or tag required to access products, services, or benefits;
  • Prohibits the transmission requiring unencrypted social security numbers; over the Internet unless the connection is secure or the social security number is encrypted; Prohibits requiring an individual to use his or her social security number to access an Internet web site, unless a password or unique personal identification number or other authentication device is also used; and
  • Prohibits printing an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed.

Another state, California has enacted a law similar to the New York law, which took effect in July 2006.[4] However, unlike New York, under a companion statute, California requires that companies that own or license unencrypted personal information about California residents (including Social Security numbers) to implement and maintain reasonable security procedures and practices for that data.[5] There are no specific implementation requirements (as are found within the HIPAA Security regulations); however, organizations are required to establish standards that are appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification or disclosure.[6]

Significantly, at least thirty-five other states have either passed or are considering legislation that will limit the use of Social Security numbers and may impose a duty of reasonable care.[7]

It is recommended that you review your organization's use of Social Security numbers. When are Social Security numbers transmitted over the Internet, used for authentication purposes, or required for the administration of services, benefits, and/or products to your employees or customers? For companies that must comply with these laws, the simplest compliance path, may be to avoid collecting and/or using Social Security numbers.

If Social Security numbers must be collected and/or used, your organization should consider using an encryption safeguard for both transmission and storage of this information. In addition, an organization should (1) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of this information; (2) design and implement information safeguards to control the risks to individuals information and regularly test and monitor them; (3) investigate, evaluate, and adjust the information security program in light of known or identified risks; (4) develop, implement, and maintain a comprehensive written information security program; and (5) oversee service providers and require them by contract to implement safeguards to protect respondent's customer information.
______________________________

[1] Social Security Numbers, Private Sector Entities Rountinely Obtain and Use SSNs, and Laws Limit the Disclosure of This Information, GAO-04-11, January 2004 (available at http://www.epic.org/privacy/ssn/gao-04-11.pdf).

[2] McKinney's General Business Law § 399-dd.

[3] For example, New Jersey passed a similar law to New York's law which has already taken effect (January 1, 2006).

[4] Cal. Civ. Code § 1798.85.

[5] Cal Civ. Code § 1798.81.5(b).

[6] The California Department of Consumer Affairs has released security guidelines. This resource provides a useful introduction to some of the key issues around the concept of establishing reasonable care(http://www.privacyprotection.ca.gov/recommendations/secbreach.pdf).

[7] States include Alabama, Alaska, Arizona, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Nebraska, New Hampshire, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Carolina, Tennessee, Vermont, Virginia,West Virginia, and Wisconsin(http://www.ncsl.org/programs/lis/privacy/SSN2006_Pending.htm) (visited January 6, 2007) (This site was current as of July 2006).