United States: State Statutes Restricting or Prohibiting the Use of Social Security Numbers November 2007

Currently, more than 25 states have adopted laws restricting or prohibiting the collection, use or disclosure of an individual’s Social Security number ("SSN"), and these laws generally apply to all commercial entities.1 In addition to the SSN disclosure laws discussed in this article, other state laws also may regulate the collection, use or disclosure of SSN data; for example, this article does not address state laws that regulate the collection, use or disclosure of SSN data by insurance entities, given the specialized nature of those laws.

In response to perceived abuses arising from the widespread use of SSNs as identifiers,2 California enacted legislation in 2001 that imposes significant restrictions on the use of SSNs by businesses and, in certain circumstances, state and local agencies.3 Like the California law, the SSN disclosure laws of a majority of the states generally apply to any person or entity doing business in the state.4 However, some state laws, such as those in Nebraska5 and Oklahoma,6 apply to employers who use employees’ SSNs. In addition, the laws of some states exempt certain entities from the SSN disclosure laws. For example, the Colorado law exempts entities covered by the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA")7 and the Pennsylvania law exempts any financial institution covered by the Gramm-Leach-Bliley Act ("GLBA"), a "licensee" regulated under Pennsylvania law, a covered entity under HIPAA or any entity subject to the Fair Credit Reporting Act ("FCRA").8

Type of Information Covered

The state SSN disclosure laws typically do not define the term "Social Security number" and thus do not specifically address whether the law applies to the use of the entire SSN, or to truncated or redacted numbers. Some states laws, however, include specific language regarding truncated or redacted numbers, even though those laws do not define a "Social Security number." For example, the SSN disclosure laws of Hawaii9 and New Mexico10 specify that the prohibitions apply to the use of the "entire" SSN, while the Arizona,11 Michigan,12 Nebraska,13 New Jersey,14 North Carolina15 and Vermont16 laws specifically permit the use of truncated or redacted numbers. In this regard, the New York SSN disclosure law appears to be the most stringent. The New York law applies to a "Social Security Account Number" ("SSAN"), which is defined as "includ[ing] the number issued by the federal Social Security Administration and any number derived from such number. Such term shall not include any number that has been encrypted."17 Therefore, in order to reduce the risk of making disclosures barred by the New York law, an entity might employing an alternative identification number which replaces, but is not derived from, the individual’s SSN.

Prohibited Activities

The state SSN disclosure laws generally prohibit using SSNs in a manner that provides access to a SSN to view by the general public. For example, the California SSN disclosure law prohibits any person or entity from (1) publicly displaying an individual’s SSN; (2) printing an individual’s SSN on any card used to access products or services provided by the person; (3) encoding or embedding a SSN in or on a card or document; (4) requiring an individual to transmit his or her SSN via the Internet unless the connection is secure or the SSN is encrypted; (5) requiring an individual to use his or her SSN to access an Internet Web site unless an additional password or personal identification number ("PIN") is also required; or (6) printing an individual’s SSN on any materials mailed to him or her absent a federal or state law requirement that the SSN be included, except for applications or forms sent by mail as part of an application or enrollment process.18 Several other state laws contain similar prohibitions.19

Even when an entity is permitted to mail an individual’s SSN, the SSN should not be printed, in whole or in part, on a postcard or other mailer not using an envelope, and should not be visible on the envelope or without the envelope having been opened.20 Unlike the California SSN disclosure law, which does not specifically reference the transmission of SSNs via electronic mail or facsimile, the Maryland law21 specifically prohibits the inclusion of an individual’s SSN on any material that is electronically transmitted or transmitted by facsimile to the individual. In addition, some state laws, such as those in Minnesota,22 North Carolina,23 and Vermont,24 specifically prohibit a person or entity from selling an individual’s SSN to a third party. The Michigan25 and Minnesota26 SSN disclosure laws also prohibit the use of SSN as account number.

Exceptions

A majority of the state SSN disclosure laws include some exceptions for the use of SSN. For example, the California law provides an exception for documents that are required to be open to the public pursuant to other specified provisions of California law or records that are required by statute, case law, or California Rule of Court, to be made available to the public by certain entities under the California constitution.27 Moreover, the California SSN disclosure law does not prevent the collection, use or release of SSNs as required by state or federal law or the use of SSNs for internal verification or administrative purposes.28

Under the Michigan law, an entity may use more than four sequential digits of the SSN as the primary account number or include the SSN on any information mailed to a person if the use is for an administrative purpose in the ordinary course of business to:

  1. Verify an individual’s identity, identify an individual, or accomplish a similar administrative purpose related to a current or proposed account, transaction, product, service, or employment;
  2. Investigate an individual’s claim, credit, criminal, or driving history;
  3. Detect, prevent, or deter identity theft or other crime;
  4. Lawfully pursue or enforce a person’s legal rights;
  5. Lawfully investigate, collect, or enforce a child or spousal support obligation or tax liability; or
  6. Provide or administer employee or health insurance or membership benefits, claims, or retirement programs or to administer the ownership of shares of stock or other investments.29

Moreover, a use of all or more than four sequential digits of a SSN as primary account number is permitted by the Michigan law if the use began before the effective date of the act and the use is ongoing, continuous, and in the ordinary course of business; but if the use is stopped for any reason, this exemption no longer applies.30

Under the New York law, the prohibitions do not prevent the collection, use, or release of a SSAN as required by state or federal law or the use of the number for internal verification, fraud investigation, or administrative purposes, or for any business function specifically authorized by certain provisions of the GLBA.31 Other states include a more expanded list of exceptions to the prohibitions against the use of SSN. For example, the Hawaii, North Carolina, and Vermont SSN disclosure laws permit: use of a SSN in an application or in documents related to an enrollment process, or to establish, amend, or terminate an account, or to confirm the accuracy of the SSN for the purpose of obtaining a credit report pursuant to the FCRA (a SSN that is permitted to be mailed under this exception may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.);32 the collection, use, or release of a SSN for internal verification or administrative purposes; the opening of an account or the provision of or payment for a product or service authorized by an individual; the collection, use, or release of a SSN related to prevention and investigation of fraud, background checks, social or scientific research, collection of debt, obtaining a credit report from or furnishing data to a consumer reporting agency pursuant to the FCRA, or other permissible purpose enumerated under GLBA, or locating an individual who is missing; business activities pursuant to a court order, warrant, subpoena, or when otherwise required by law; a business providing the SSN to a federal, state, or local government entity, including a law enforcement agency, court, or their agents or assigns; a SSN that has been redacted.33 However, the North Carolina statute requires a business covered by these provisions to make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements are implemented.34

Additional Requirements

In addition to the various prohibitions on the use of SSNs and exceptions to the prohibitions, a number of state laws include additional requirements. For example, the Michigan law requires a person who obtains one or more SSNs in the ordinary course of business to create a privacy policy that must, at a minimum, (1) ensure, to the extent practicable, the confidentiality of the SSN; (2) prohibit unlawful disclosure of SSN; (3) limit access to information that contains SSN; (4) describe the proper disposal of documents containing SSN; and (5) establish penalties for the violation of the privacy policy.35 The privacy policy must be published in an employee handbook, procedures manual, or other similar document.36 The Texas law also obligates an entity that requires an individual to disclose his or her SSN to adopt a privacy policy and make the privacy policy available to the individual.37 Similarly, the New York statute requires any person who is in possession of the SSN of any individual, to the extent that such SSN is maintained for the conduct of business or trade, to take reasonable measures to ensure that no officer or employee has access to the SSN for any purpose other than for a legitimate or necessary purpose related to the conduct of such business or trade and to provide safeguards necessary or appropriate to preclude unauthorized access to the SSN and to protect the confidentiality of the SSN.38 However, the New York law provides a defense to an alleged violation. Specifically, the New York SSN disclosure law provides that no person shall be deemed to have violated the provisions of the law if the person can show, by a preponderance of the evidence, that the violation was not intentional and resulted from a bona fide error made notwithstanding the maintenance of procedures reasonably adopted to avoid such error.39

Conclusion

To comply with the requirements of such state SSN disclosure laws, covered entities may need to consider modifying aspects of their operations. For example, changes may include (1) creation of alternate identification numbers for individuals; (2) reprogramming of computer systems to replace references to SSNs with alternative identifiers; (3) removal of SSNs from identification cards; or (4) removal of SSNs from correspondence, claims forms and statements. In addition, covered entities may wish to evaluate their use of SSNs to ensure that the are consistent with the requirements imposed by the various state SSN disclosure laws. The Office of Privacy Protection within the California Department of Consumer Affairs ("Office of Privacy Protection") has published recommended practices for complying with the law.40 In particular, the Office of Privacy Protection recommends that entities reduce their efforts to collect SSNs; provide information to individuals when SSNs are collected explaining the purpose, the intended use, whether the SSN must be provided, and the consequences of failing to provide the SSN; eliminate the public display of SSNs; to control access to SSNs; to protect SSNs with appropriate security measures; and implement accountability procedures to monitor the handling of SSNs.41

Footnotes

1. States that have enacted legislation regulating the use of SSN include Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Illinois, Kansas, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Jersey, New Mexico, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, and Virginia. Although most of these state statutes generally apply to persons doing business in the state, some state laws, such as the Oklahoma and Nebraska law, apply specifically in the employment context. These state statutes have varying effective dates.

2. See e.g., Assembly Comm. on Judiciary: Personal Information: Confidentiality: Identity Theft, 2001 Leg. (Cal. 2001), available at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_0151-0200/sb_168_cfa_20010709_104555_asm_comm.html.

3. Cal. Civ. Code §§ 1798.85–1978.86 (LEXIS through 2007 ch. 170, Jul. 30, 2007).

4. See, e.g., N.Y. Gen. Bus. Law § 399-dd(2) (LEXIS through ch. 295, July 18, 2007); N.C. Gen. Stat. § 75-62(a) (LEXIS through 2006 Reg. Sess.); Tex. Bus. & Com. Code Ann. § 35.58(a) (LEXIS through 2007 Ch. 253, approved May 25, 2007).

5. LB 674, 1st Sess. of the 100th Legis. (Neb. 2007).

6. Okla. Stat. tit. 40, § 173.1(A)(1) (LEXIS through ch. 130, Approved May 15, 2007).

7. Colo. Rev. Stat. § 6-1-715(4)(b) (LEXIS through 2006 Supp.).

8. 74 Pa. Stat. Ann. § 204 (LEXIS through

9. Haw. Rev. Stat. Ann. § 487J-2(a) (LEXIS through 126 Act of 2007 Reg. Sess.).

10. N.M. Stat. Ann. § 57-12B-4(A) (LEXIS through First Special Sess. of the Forty-Eighth Legis.).

11. Ariz. Rev. Stat. § 1373.02 (LEXIS through 2006 Reg. Sess.).

12. Mich. Comp. Laws § 445.83 (LEXIS through P.A. 46, July 17, 2007).

13. LB 674, 1st Sess. of the 100th Legis. (Neb. 2007).

14. N.J. Rev. Stat. § 56:8-164(a)(1) (LEXIS through

15. N.C. Gen. Stat. § 75-62(b)(7) (LEXIS through 2006 Reg. Sess.).

16. Vt. Stat. Ann. tit. 9, § 2440(c)(7) (LEXIS through 2005 Adjourned Sess. (2006)).

17. N.Y. Gen. Bus. Law § 399-dd(1) (LEXIS through ch. 295, July 18, 2007) (emphasis added).

18. Cal. Civ. Code §§ 1798.85(a)(1)–1798.85(a)(5), 1798.85(f) (LEXIS through 2007 ch. 170, Jul. 30, 2007).

19. See, e.g., 815 Ill. Comp. Stat. § 505/2QQ(a) (LEXIS through Pub. Act. 95-0031); N.J. Stat. Ann. § 56:8-164(a) LEXIS through N.J. 212th Legis); Tex. Bus. & Com. Code § 35.58(a) (LEXIS through 2007 ch. 253, approved May 25, 2007).

20. See, e.g., Cal. Civ. Code § 1798.85(a)(5) (LEXIS through 2007 ch. 170, Jul. 30, 2007); Colo Rev. Stat. § 6-1-715(1)(e) (LEXIS through 2006 Supp. (2006 Sess.)); 815 Ill. Comp. Stat. § 505/2QQ(a)(5) (LEXIS through Pub. Act. 95-0031).

21. Md. Code Ann. Com. Law § 3402(a)(6) (LEXIS through 2006 Reg. and Special Sess.).

22. Minn. Stat. § 325E.59(a)(7) (LEXIS through 2006 Legis. Sess.).

23. N.C. Gen. Stat. § 75-62(a)(6) (LEXIS through 2006 Reg. Sess.).

24. Vt. Stat. Ann. tit. 9, § 2440(a)(6) (LEXIS through 2005 Adjourned Sess. (2006)).

25. Mich. Comp. Laws § 445.83(1)(b) (LEXIS through P.A. 46, July 17, 2007).

26. Minn. Stat. § 325E.59(a)(6) (LEXIS through 2006 Legis. Sess.).

27. Cal. Civ. Code § 1798.85(c) (LEXIS through 2007 ch. 170, Jul. 30, 2007)

28. Cal. Civ. Code § 1798.85(b) (LEXIS through 2007 ch. 170, Jul. 30, 2007).

29. Mich. Comp. Laws § 445.83(3)(a) (LEXIS through P.A. 46, July 17, 2007).

30. Mich. Comp. Laws § 445.83(3)(b) (LEXIS through P.A. 46, July 17, 2007).

31. N.Y. Gen. Bus. Law § 399-dd(3) (LEXIS through ch. 295, July 18, 2007).

32. N.C. Gen. Stat. § 75-62(b) (LEXIS through 2006 Reg. Sess.); Haw, Rev. Stat. Ann. § 487J-2(b)(1) (LEXIS through 126 Act of 2007 Reg. Sess.); Vt. Stat. Ann. tit. 9, § 2440(c)(1) (LEXIS through 2005 Adjourned Sess. (2006)).

33. N.C. Gen. Stat. § 75-62(b) (LEXIS through 2006 Reg. Sess.); Haw Rev. Stat. Ann. § 487J-2(b)(2)-(10) (LEXIS through 126 Act of 2007 Reg. Sess.); Vt. Stat. Ann. tit 9, § 2440(c)(2)-(7) (LEXIS through 2005 Adjourned Sess. (2006)).

34. N.C. Gen. Stat. § 75-62(c) (LEXIS through 2006 Reg. Sess.).

35. The privacy policy requirements do not apply to persons that obtain an individual’s SSN in the ordinary course of business and in compliance with the FCRA or subtitle A of Title V of the GLBA. Mich. Comp. Laws § 445.84(3) (LEXIS through P.A. 46, July 17, 2007).

36. Mich. Comp. Laws § 445.84 (LEXIS through P.A. 46, July 17, 2007).

37. Tex. Bus. & Com. Code Ann. § 35.581(a) (LEXIS through 2007 Ch. 253, approved May 25, 2007).

38. N.Y. Gen. Bus. Law § 399-dd(4) (LEXIS through ch. 295, July 18, 2007).

39. N.Y. Gen. Bus. Law § 399-dd(6) (LEXIS through ch. 295, July 18, 2007).

40. Recommended Practices for Protecting the Confidentiality of Social Security Numbers, Office of Privacy Protection, California Dept. of Consumer Affairs (2007), available at http://www.privacy.ca.gov/recommendations/recomend.htm.

41. Id.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions