General Assembly |
File No. 718 |
January Session, 2009 |
Senate, April 20, 2009
The Committee on Judiciary reported through SEN. MCDONALD of the 27th Dist., Chairperson of the Committee on the part of the Senate, that the substitute bill ought to pass.
AN ACT CONCERNING THE COLLECTION AND DISCLOSURE OF SOCIAL SECURITY NUMBERS.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. (NEW) (Effective October 1, 2009) Any department, board, commission, institution or other agency of the state or any political subdivision of the state that requests an individual to disclose such individual's Social Security number shall inform such individual: (1) Whether such disclosure is mandatory or voluntary, (2) by what statutory or other authority such number is requested, and (3) what uses will be made of such number.
Sec. 2. Section 42-471 of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2009):
(a) As used in this section, "personal information" means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
[(a)] (b) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.
[(b)] (c) Any person who collects Social Security numbers in the regular course of business [shall create a privacy protection policy which shall be published or publicly displayed. For purposes of this subsection, "publicly displayed" includes, but is not limited to, posting on an Internet web page. Such policy] shall: (1) Protect the confidentiality of [Social Security] such numbers, (2) prohibit unlawful disclosure of [Social Security] such numbers, and (3) limit access to [Social Security] such numbers. Such person shall adopt a privacy policy, or amend an existing privacy policy, to set forth the measures such person takes to ensure that the requirements of subdivisions (1) to (3), inclusive, of this subsection are met. Such person shall make such policy available on such person's Internet web site or, if such person does not have an Internet web site, shall provide such policy to any individual upon request.
[(c) As used in this section, "personal information" means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.]
(d) For persons who hold a license, registration or certificate issued by a state agency other than the Department of Consumer Protection, this section shall be enforceable only by such other state agency pursuant to such other state agency's existing statutory and regulatory authority.
(e) Any person [or entity that] who violates the provisions of subsection (b) or (c) of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event. It shall not be a violation of this section if such violation was unintentional. The Attorney General shall institute a civil action to recover such penalty.
(f) The provisions of this section shall not apply to any agency or political subdivision of the state.
[(g) Any civil penalties received pursuant to this section shall be deposited into the privacy protection guaranty and enforcement account established pursuant to section 19 of substitute senate bill 30 of the February 2008, regular session.]
(g) The Department of Consumer Protection shall adopt regulations, in accordance with chapter 54, to implement the provisions of this section including prescribing best practices for data protection and data disposal.
This act shall take effect as follows and shall amend the following sections: | ||
Section 1 |
October 1, 2009 |
New section |
Sec. 2 |
October 1, 2009 |
42-471 |
JUD |
Joint Favorable Subst. |
The following Fiscal Impact Statement and Bill Analysis are prepared for the benefit of the members of the General Assembly, solely for purposes of information, summarization and explanation and do not represent the intent of the General Assembly or either chamber thereof for any purpose. In general, fiscal impacts are based upon a variety of informational sources, including the analyst's professional knowledge. Whenever applicable, agency data is consulted as part of the analysis, however final products do not necessarily reflect an assessment from any specific department.
OFA Fiscal Note
Agency Affected |
Fund-Effect |
FY 10 $ |
FY 11 $ |
Various State Agencies |
GF - Cost |
Minimal |
None |
Attorney General |
GF - Revenue Gain |
Potential |
Potential |
Municipalities |
Effect |
FY 10 $ |
FY 11 $ |
All Municipalities |
STATE MANDATE - Cost |
Minimal |
None |
Explanation
State and municipal agencies will incur a one-time, minimal cost to change various paper and electronic forms, update web sites, and provide signage to notify individuals in accordance with the bill. Additionally the bill results in a potential revenue gain due to civil penalties which could be imposed on violators by the Attorney General.
The Out Years
There is no fiscal impact in the out years.
OLR Bill Analysis
AN ACT CONCERNING THE COLLECTION AND DISCLOSURE OF SOCIAL SECURITY NUMBERS.
This bill requires government entities that request Social Security numbers to tell the people being asked (1) if the disclosure is mandatory or voluntary, (2) the legal authority for the request, and (3) how the numbers will be used. The requirement applies to state departments, boards, commissions, institutions, and other agencies and political subdivisions.
By law, anyone who collects Social Security numbers in the course of business must create a privacy protection policy and publish or publicly display it. The bill (1) limits the requirement to people who collect the numbers in the regular course of business, (2) requires them to include in the policy the steps they will take to protect the numbers from disclosure, and (3) specifically requires them to provide a copy of the policy upon request.
The bill requires the attorney general to bring a civil action to recover the penalty that may be imposed against intentional violators of the privacy protection policy requirement and eliminates the requirement that the civil penalties be deposited into the privacy protection guaranty and enforcement account. This account does not exist. By law, intentional violators are subject to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event.
Lastly, the bill requires the Department of Consumer Protection to adopt implementing regulations and include in them best practices for data protection and data disposal.
EFFECTIVE DATE: October 1, 2009
BACKGROUND
Protection of Social Security Numbers in the Course of Business
Anyone who collects Social Security numbers in the course of business must create a privacy protection policy that must be published or publicly displayed, which includes posting it on an Internet web page. The policy must ensure confidentiality of Social Security numbers, prohibit their unlawful disclosure, and limit access to them.
Prohibition Against Publicly Disclosing Social Security Numbers
With certain exceptions, the law prohibits individuals and businesses from publicly disclosing Social Security numbers. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes (CGS § 42-470).
The law also prohibits:
1. intentionally communicating or otherwise making available to the general public an individual's Social Security number;
2. printing anyone's Social Security number on a card that the person or entity must use to access the person or entity's products or services;
3. requiring anyone to transmit his or her Social Security number over the Internet, unless the connection is secure or the number is encrypted; or
4. requiring anyone to use his or her Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.
Related Bill
SB 838, favorably reported by the General Law Committee, makes changes to the identity theft crimes and places restrictions on the dissemination of personally identifying information.
COMMITTEE ACTION
Judiciary Committee
Joint Favorable Substitute
Yea |
42 |
Nay |
0 |
(03/31/2009) |