Under "An Act Concerning the Confidentiality of Social Security Numbers" (Public Act No. 08-167), which goes into effect October 1, 2008, Connecticut employers will be required to comply with specific guidelines to protect personal information and Social Security numbers in their possession. The Act, which is not expressly limited to employers or businesses located in Connecticut or the personal information of Connecticut residents or employees, provides that "any person" in possession of personal information of "another person" is required to safeguard such information from misuse by a third party and "shall destroy, erase or make unreadable such data, computer files and documents prior to disposal."

"Personal information" is defined in the Act as "information capable of being associated with a particular individual through one or more identifiers, including, but not limited to a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, or health insurance identification number . . . ." (Emphasis added.) Notably, any information that is lawfully made available to the general public from federal, state or local government records or widely distributed media is excluded from the definition of "personal information."

In addition, employers who collect Social Security numbers will be required under the Act to create a "privacy protection policy" which must be published or publicly displayed. Such a policy must: (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers and (3) limit access to Social Security numbers. According to the Act, an employer can accomplish compliance with the public display requirement by posting the policy on an Internet web page.

While the Act does not provide a private right of action for any person aggrieved under the statute, anyone who intentionally violates the statute is subject to a $500 civil penalty for each violation, not to exceed $500,000 for any "single event." However, the term "single event" is not defined in the Act.

In preparation for compliance with the Act, employers should update or create privacy policies and procedures that comply with the terms of the Act. Specifically, employers can prepare for compliance by coordinating with their Information Technology departments to ensure that they are equipped to comply with the Act's requirements to safeguard and destroy, erase or encrypt files and documents containing personal information prior to disposal.

Lastly, employers should note that the Act's requirements are in addition to the requirements set forth in Connecticut General Statutes Section 42-470, which already prohibits employers from publicly posting or displaying an individual's Social Security number and limits the manner in which an employer can require an employee to transmit or use their Social Security number over the Internet.

* * *

If you have any questions or comments, please feel free to contact Peter M. Stein in the Firm's Stamford, Connecticut, office at (203) 326-7420 or pstein@ebglaw.com. Jaclyn Leung, an Associate in the Labor and Employment practice in the Stamford office, assisted in the preparation of this Alert.

Resources

22017_Stamford

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.