United States: State Statutes Restricting or Prohibiting the Use of Social Security Numbers November 2007

Currently, more than 25 states have adopted laws restricting or prohibiting the collection, use or disclosure of an individual’s Social Security number ("SSN"), and these laws generally apply to all commercial entities.1 In addition to the SSN disclosure laws discussed in this article, other state laws also may regulate the collection, use or disclosure of SSN data; for example, this article does not address state laws that regulate the collection, use or disclosure of SSN data by insurance entities, given the specialized nature of those laws.

In response to perceived abuses arising from the widespread use of SSNs as identifiers,2 California enacted legislation in 2001 that imposes significant restrictions on the use of SSNs by businesses and, in certain circumstances, state and local agencies.3 Like the California law, the SSN disclosure laws of a majority of the states generally apply to any person or entity doing business in the state.4 However, some state laws, such as those in Nebraska5 and Oklahoma,6 apply to employers who use employees’ SSNs. In addition, the laws of some states exempt certain entities from the SSN disclosure laws. For example, the Colorado law exempts entities covered by the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA")7 and the Pennsylvania law exempts any financial institution covered by the Gramm-Leach-Bliley Act ("GLBA"), a "licensee" regulated under Pennsylvania law, a covered entity under HIPAA or any entity subject to the Fair Credit Reporting Act ("FCRA").8

Type of Information Covered

The state SSN disclosure laws typically do not define the term "Social Security number" and thus do not specifically address whether the law applies to the use of the entire SSN, or to truncated or redacted numbers. Some states laws, however, include specific language regarding truncated or redacted numbers, even though those laws do not define a "Social Security number." For example, the SSN disclosure laws of Hawaii9 and New Mexico10 specify that the prohibitions apply to the use of the "entire" SSN, while the Arizona,11 Michigan,12 Nebraska,13 New Jersey,14 North Carolina15 and Vermont16 laws specifically permit the use of truncated or redacted numbers. In this regard, the New York SSN disclosure law appears to be the most stringent. The New York law applies to a "Social Security Account Number" ("SSAN"), which is defined as "includ[ing] the number issued by the federal Social Security Administration and any number derived from such number. Such term shall not include any number that has been encrypted."17 Therefore, in order to reduce the risk of making disclosures barred by the New York law, an entity might employing an alternative identification number which replaces, but is not derived from, the individual’s SSN.

Prohibited Activities

The state SSN disclosure laws generally prohibit using SSNs in a manner that provides access to a SSN to view by the general public. For example, the California SSN disclosure law prohibits any person or entity from (1) publicly displaying an individual’s SSN; (2) printing an individual’s SSN on any card used to access products or services provided by the person; (3) encoding or embedding a SSN in or on a card or document; (4) requiring an individual to transmit his or her SSN via the Internet unless the connection is secure or the SSN is encrypted; (5) requiring an individual to use his or her SSN to access an Internet Web site unless an additional password or personal identification number ("PIN") is also required; or (6) printing an individual’s SSN on any materials mailed to him or her absent a federal or state law requirement that the SSN be included, except for applications or forms sent by mail as part of an application or enrollment process.18 Several other state laws contain similar prohibitions.19

Even when an entity is permitted to mail an individual’s SSN, the SSN should not be printed, in whole or in part, on a postcard or other mailer not using an envelope, and should not be visible on the envelope or without the envelope having been opened.20 Unlike the California SSN disclosure law, which does not specifically reference the transmission of SSNs via electronic mail or facsimile, the Maryland law21 specifically prohibits the inclusion of an individual’s SSN on any material that is electronically transmitted or transmitted by facsimile to the individual. In addition, some state laws, such as those in Minnesota,22 North Carolina,23 and Vermont,24 specifically prohibit a person or entity from selling an individual’s SSN to a third party. The Michigan25 and Minnesota26 SSN disclosure laws also prohibit the use of SSN as account number.

Exceptions

A majority of the state SSN disclosure laws include some exceptions for the use of SSN. For example, the California law provides an exception for documents that are required to be open to the public pursuant to other specified provisions of California law or records that are required by statute, case law, or California Rule of Court, to be made available to the public by certain entities under the California constitution.27 Moreover, the California SSN disclosure law does not prevent the collection, use or release of SSNs as required by state or federal law or the use of SSNs for internal verification or administrative purposes.28

Under the Michigan law, an entity may use more than four sequential digits of the SSN as the primary account number or include the SSN on any information mailed to a person if the use is for an administrative purpose in the ordinary course of business to:

  1. Verify an individual’s identity, identify an individual, or accomplish a similar administrative purpose related to a current or proposed account, transaction, product, service, or employment;
  2. Investigate an individual’s claim, credit, criminal, or driving history;
  3. Detect, prevent, or deter identity theft or other crime;
  4. Lawfully pursue or enforce a person’s legal rights;
  5. Lawfully investigate, collect, or enforce a child or spousal support obligation or tax liability; or
  6. Provide or administer employee or health insurance or membership benefits, claims, or retirement programs or to administer the ownership of shares of stock or other investments.29

Moreover, a use of all or more than four sequential digits of a SSN as primary account number is permitted by the Michigan law if the use began before the effective date of the act and the use is ongoing, continuous, and in the ordinary course of business; but if the use is stopped for any reason, this exemption no longer applies.30

Under the New York law, the prohibitions do not prevent the collection, use, or release of a SSAN as required by state or federal law or the use of the number for internal verification, fraud investigation, or administrative purposes, or for any business function specifically authorized by certain provisions of the GLBA.31 Other states include a more expanded list of exceptions to the prohibitions against the use of SSN. For example, the Hawaii, North Carolina, and Vermont SSN disclosure laws permit: use of a SSN in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, or to confirm the accuracy of the SSN for the purpose of obtaining a credit report pursuant to the FCRA (a SSN that is permitted to be mailed under this exception may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.);32 the collection, use, or release of a SSN for internal verification or administrative purposes; the opening of an account or the provision of or payment for a product or service authorized by an individual; the collection, use, or release of a SSN related to prevention and investigation of fraud, background checks, social or scientific research, collection of debt, obtaining a credit report from or furnishing data to a consumer reporting agency pursuant to the FCRA, or other permissible purpose enumerated under GLBA, or locating an individual who is missing; business activities pursuant to a court order, warrant, subpoena, or when otherwise required by law; a business providing the SSN to a federal, state, or local government entity, including a law enforcement agency, court, or their agents or assigns; a SSN that has been redacted.33 However, the North Carolina statute requires a business covered by these provisions to make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements are implemented.34

Additional Requirements

In addition to the various prohibitions on the use of SSNs and exceptions to the prohibitions, a number of state laws include additional requirements. For example, the Michigan law requires a person who obtains one or more SSNs in the ordinary course of business to create a privacy policy that must, at a minimum, (1) ensure, to the extent practicable, the confidentiality of the SSN; (2) prohibit unlawful disclosure of SSN; (3) limit access to information that contains SSN; (4) describe the proper disposal of documents containing SSN; and (5) establish penalties for the violation of the privacy policy.35 The privacy policy must be published in an employee handbook, procedures manual, or other similar document.36 The Texas law also obligates an entity that requires an individual to disclose his or her SSN to adopt a privacy policy and make the privacy policy available to the individual.37 Similarly, the New York statute requires any person who is in possession of the SSN of any individual, to the extent that such SSN is maintained for the conduct of business or trade, to take reasonable measures to ensure that no officer or employee has access to the SSN for any purpose other than for a legitimate or necessary purpose related to the conduct of such business or trade and to provide safeguards necessary or appropriate to preclude unauthorized access to the SSN and to protect the confidentiality of the SSN.38 However, the New York law provides a defense to an alleged violation. Specifically, the New York SSN disclosure law provides that no person shall be deemed to have violated the provisions of the law if the person can show, by a preponderance of the evidence, that the violation was not intentional and resulted from a bona fide error made notwithstanding the maintenance of procedures reasonably adopted to avoid such error.39

Conclusion

To comply with the requirements of such state SSN disclosure laws, covered entities may need to consider modifying aspects of their operations. For example, changes may include (1) creation of alternate identification numbers for individuals; (2) reprogramming of computer systems to replace references to SSNs with alternative identifiers; (3) removal of SSNs from identification cards; or (4) removal of SSNs from correspondence, claims forms and statements. In addition, covered entities may wish to evaluate their use of SSNs to ensure that the are consistent with the requirements imposed by the various state SSN disclosure laws. The Office of Privacy Protection within the California Department of Consumer Affairs ("Office of Privacy Protection") has published recommended practices for complying with the law.40 In particular, the Office of Privacy Protection recommends that entities reduce their efforts to collect SSNs; provide information to individuals when SSNs are collected explaining the purpose, the intended use, whether the SSN must be provided, and the consequences of failing to provide the SSN; eliminate the public display of SSNs; to control access to SSNs; to protect SSNs with appropriate security measures; and implement accountability procedures to monitor the handling of SSNs.41

Footnotes

1. States that have enacted legislation regulating the use of SSN include Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Illinois, Kansas, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Jersey, New Mexico, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, and Virginia. Although most of these state statutes generally apply to persons doing business in the state, some state laws, such as the Oklahoma and Nebraska law, apply specifically in the employment context. These state statutes have varying effective dates.

2. See e.g., Assembly Comm. on Judiciary: Personal Information: Confidentiality: Identity Theft, 2001 Leg. (Cal. 2001), available at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_0151-0200/sb_168_cfa_20010709_104555_asm_comm.html.

3. Cal. Civ. Code §§ 1798.85–1978.86 (LEXIS through 2007 ch. 170, Jul. 30, 2007).

4. See, e.g., N.Y. Gen. Bus. Law § 399-dd(2) (LEXIS through ch. 295, July 18, 2007); N.C. Gen. Stat. § 75-62(a) (LEXIS through 2006 Reg. Sess.); Tex. Bus. & Com. Code Ann. § 35.58(a) (LEXIS through 2007 Ch. 253, approved May 25, 2007).

5. LB 674, 1st Sess. of the 100th Legis. (Neb. 2007).

6. Okla. Stat. tit. 40, § 173.1(A)(1) (LEXIS through ch. 130, Approved May 15, 2007).

7. Colo. Rev. Stat. § 6-1-715(4)(b) (LEXIS through 2006 Supp.).

8. 74 Pa. Stat. Ann. § 204 (LEXIS through

9. Haw. Rev. Stat. Ann. § 487J-2(a) (LEXIS through 126 Act of 2007 Reg. Sess.).

10. N.M. Stat. Ann. § 57-12B-4(A) (LEXIS through First Special Sess. of the Forty-Eighth Legis.).

11. Ariz. Rev. Stat. § 1373.02 (LEXIS through 2006 Reg. Sess.).

12. Mich. Comp. Laws § 445.83 (LEXIS through P.A. 46, July 17, 2007).

13. LB 674, 1st Sess. of the 100th Legis. (Neb. 2007).

14. N.J. Rev. Stat. § 56:8-164(a)(1) (LEXIS through

15. N.C. Gen. Stat. § 75-62(b)(7) (LEXIS through 2006 Reg. Sess.).

16. Vt. Stat. Ann. tit. 9, § 2440(c)(7) (LEXIS through 2005 Adjourned Sess. (2006)).

17. N.Y. Gen. Bus. Law § 399-dd(1) (LEXIS through ch. 295, July 18, 2007) (emphasis added).

18. Cal. Civ. Code §§ 1798.85(a)(1)–1798.85(a)(5), 1798.85(f) (LEXIS through 2007 ch. 170, Jul. 30, 2007).

19. See, e.g., 815 Ill. Comp. Stat. § 505/2QQ(a) (LEXIS through Pub. Act. 95-0031); N.J. Stat. Ann. § 56:8-164(a) LEXIS through N.J. 212th Legis); Tex. Bus. & Com. Code § 35.58(a) (LEXIS through 2007 ch. 253, approved May 25, 2007).

20. See, e.g., Cal. Civ. Code § 1798.85(a)(5) (LEXIS through 2007 ch. 170, Jul. 30, 2007); Colo Rev. Stat. § 6-1-715(1)(e) (LEXIS through 2006 Supp. (2006 Sess.)); 815 Ill. Comp. Stat. § 505/2QQ(a)(5) (LEXIS through Pub. Act. 95-0031).

21. Md. Code Ann. Com. Law § 3402(a)(6) (LEXIS through 2006 Reg. and Special Sess.).

22. Minn. Stat. § 325E.59(a)(7) (LEXIS through 2006 Legis. Sess.).

23. N.C. Gen. Stat. § 75-62(a)(6) (LEXIS through 2006 Reg. Sess.).

24. Vt. Stat. Ann. tit. 9, § 2440(a)(6) (LEXIS through 2005 Adjourned Sess. (2006)).

25. Mich. Comp. Laws § 445.83(1)(b) (LEXIS through P.A. 46, July 17, 2007).

26. Minn. Stat. § 325E.59(a)(6) (LEXIS through 2006 Legis. Sess.).

27. Cal. Civ. Code § 1798.85(c) (LEXIS through 2007 ch. 170, Jul. 30, 2007)

28. Cal. Civ. Code § 1798.85(b) (LEXIS through 2007 ch. 170, Jul. 30, 2007).

29. Mich. Comp. Laws § 445.83(3)(a) (LEXIS through P.A. 46, July 17, 2007).

30. Mich. Comp. Laws § 445.83(3)(b) (LEXIS through P.A. 46, July 17, 2007).

31. N.Y. Gen. Bus. Law § 399-dd(3) (LEXIS through ch. 295, July 18, 2007).

32. N.C. Gen. Stat. § 75-62(b) (LEXIS through 2006 Reg. Sess.); Haw, Rev. Stat. Ann. § 487J-2(b)(1) (LEXIS through 126 Act of 2007 Reg. Sess.); Vt. Stat. Ann. tit. 9, § 2440(c)(1) (LEXIS through 2005 Adjourned Sess. (2006)).

33. N.C. Gen. Stat. § 75-62(b) (LEXIS through 2006 Reg. Sess.); Haw Rev. Stat. Ann. § 487J-2(b)(2)-(10) (LEXIS through 126 Act of 2007 Reg. Sess.); Vt. Stat. Ann. tit 9, § 2440(c)(2)-(7) (LEXIS through 2005 Adjourned Sess. (2006)).

34. N.C. Gen. Stat. § 75-62(c) (LEXIS through 2006 Reg. Sess.).

35. The privacy policy requirements do not apply to persons that obtain an individual’s SSN in the ordinary course of business and in compliance with the FCRA or subtitle A of Title V of the GLBA. Mich. Comp. Laws § 445.84(3) (LEXIS through P.A. 46, July 17, 2007).

36. Mich. Comp. Laws § 445.84 (LEXIS through P.A. 46, July 17, 2007).

37. Tex. Bus. & Com. Code Ann. § 35.581(a) (LEXIS through 2007 Ch. 253, approved May 25, 2007).

38. N.Y. Gen. Bus. Law § 399-dd(4) (LEXIS through ch. 295, July 18, 2007).

39. N.Y. Gen. Bus. Law § 399-dd(6) (LEXIS through ch. 295, July 18, 2007).

40. Recommended Practices for Protecting the Confidentiality of Social Security Numbers, Office of Privacy Protection, California Dept. of Consumer Affairs (2007), available at http://www.privacy.ca.gov/recommendations/recomend.htm.

41. Id.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.