Social Security Number Privacy
Social Security Numbers (SSN) were created in 1936 for the sole purpose of recording individual worker’s contributions to the social security fund. The general public was very suspicious about having a national tracking system, and as a result, the very first regulation ever issued by the Social Security Board declared that the SSN was for the exclusive use of the Social Security system. Since then, SSN’s have been used and misused for many more purposes. The number of identity theft victims has increased at an annual rate of 35 to 40 percent (during each of the past five years). Over 40 million individuals have already been victims over the past five years. Estimates of the annual economic impact begin at $ 50 billion.
Federal Privacy Act of 1974
Congress passed the Privacy Act of 1974. This law makes it unlawful for a government agency to deny a right, benefit, or privilege merely because the individual refuses to disclose his or her SSN. The Act attempts to limit the use of the SSN to only those purposes where there is clear legal authority to collect the SSN. Any agency requesting an individual to disclose an SSN must inform that individual whether that disclosure is mandatory or voluntary, cite statutory authority for soliciting the SSN, and indicate what specific uses will be made of that SSN. It was hoped that citizens, fully informed of where the disclosure was not required by law and facing no loss of opportunity by failing to provide their SSN, would be unlikely to provide an SSN and institutions would not pursue the SSN as a form of identification.
State Laws
Many states have enacted legislative protections for the SSN:
Arizona: prohibits printing SSN’s on government/private sector identification cards. Requires technical protection requirements for online transmission of SSN’s.
California: public posting of an SSN and printing on an identity card or document used to obtain a product or service is prohibited. Businesses that use the SSN to identify customers, such as utility companies, will no longer be permitted to print the SSN on invoices or bills sent through the mail. Companies that maintain SSN’s must alert individuals when they experience a security breach.
Colorado: limits the collection of SSN’s and its use in licenses, permits, passes, or certificates issued by the state. Provides when documents containing SSN’s must be destroyed. Insurance companies must remove the SSN from consumers’ identification cards.
Georgia: businesses are required to safely dispose of records that contain SSN’s. This includes computer hard drives, and documents. $ 10,000 penalties for non-compliance.
Michigan’s Social Security Number Privacy Act
Michigan enacted the Social Security Number Privacy Act (Public Act 454 of 2004), which prohibits certain uses of all or more than four sequential digits of social security numbers. The Act covers Michigan employers and many of its provisions took effect March 1, 2005.
Pursuant to the Act, an employer may not “publicly display” all or more than four sequential digits of a social security number. The term “public display” means making the number visible to the public, including by open view on a computer monitor, network, or website. Correspondingly, an individual may not be required to transmit his/her social security number over the Internet or computer network unless through a secure or encrypted connection or, to gain access to a website or network, a password or authorization system exists.
Additionally, SSN’s may not generally be used as an account number or printed on any identification badge or card, membership card, permit, or license. Further, when mailing any document containing a social security number, the number must not be visible on or from outside the envelope or packaging. Finally, social security number information may not be included on any document mailed unless permitted by law, regulation, or court order; sent as part of an application or enrollment process initiated by the individual; sent to establish, confirm, or amend an account or contract policy; or sent by a public body under appropriate circumstances.
Use of a social security number is permissible if authorized or required by state or federal statute, rule, or regulation; by court order or rule; or pursuant to legal discovery. An employer may use a social security number in certain situations as a primary account number or include it in a mailed document in the ordinary course of business to:
- Verify an identity, identify an individual, or perform another similar administrative purpose related to an account, transaction, or employment;
- Investigate an individual’s claim, credit, criminal, or driving history;
- Detect, prevent, and deter identity theft;
- Enforce a person’s legal rights, including debt collection;
- Investigate, collect, or enforce a child or spousal support obligation or tax liability;
- Administer a health insurance, retirement benefit, or investment program.
Significantly, all employers who obtain social security numbers must have a privacy policy published in an employee handbook, which addresses all of the following:
- Ensures confidentiality of the social security numbers;
- Prohibits unlawful disclosure;
- Limits access to information or documents containing the numbers;
- Describes how to dispose of documents containing social security numbers;
- Establishes penalties for violating the privacy policy.
Violations of the Act are subject to criminal and civil penalties. A knowing violation is a misdemeanor punishable by up to 93 days imprisonment or a fine of not more than $1,000, or both. If the violation is committed knowingly, the individual can recover the greater of actual damages or $1,000, plus attorneys’ fees. Sixty days before bringing a civil action, however, an individual must make a written demand for damages, unless good cause is shown.
Conclusion
Identity theft has been a major issue for every employee and employer. Now, employers must ensure that they maintain legal compliance regarding SSN policy, too. All employee handbooks and collective bargaining agreements must contain the employer’s social security number privacy policies.