Location:
PRIVACY;
Scope:
Connecticut laws/regulations; Federal laws/regulations; Background;

OLR Research Report


December 1, 2010

 

2010-R-0495

RECENT IDENTITY THEFT LEGISLATION

By: James Orlando, Legislative Analyst II

You asked about significant legislation in the past three sessions regarding identity theft, particularly Social Security numbers.

SUMMARY

During the 2008-2010 legislative sessions, the General Assembly passed several acts concerning identity theft or safeguarding Social Security numbers (SSNs). Among these acts, PA 09-239 made the most extensive changes. Among other provisions, this act broadened the definition of identity theft, increased criminal penalties for certain activities related to identity theft, expanded opportunities for victims to sue for damages, and created an account to pay for enforcing certain privacy protection laws and reimbursing victims.

This report summarizes all public acts passed in 2008-2010 that relate to identity theft. It does not summarize any unrelated changes in these acts. All provisions discussed in the report are already effective unless otherwise noted. The report is organized in reverse chronological order. The full text and full summaries of these acts are available on the General Assembly website.

PA 10-157—FOSTER CHILDREN AND IDENTITY THEFT

This act requires the Department of Children and Families (DCF) to obtain a free credit report for every foster child age 16 and older and review it for evidence of identity theft. If DCF finds any evidence, it must, within five days of receiving the credit report, (1) report this to the chief state's attorney and (2) advise the affected youth and his or her foster parent, caseworker, and legal representative, if any, about this finding at the youth's next biennial treatment plan meeting.

Under the act, DCF must ask for a free credit report within 15 days after a foster child turns age 16. For a youth age 16 or older already in foster care on July 1, 2010, DCF must order the first report by July 31, 2010.

The act also requires DCF to report to the Human Services and Appropriations committees by July 1, 2011 about its findings of identity theft found through the credit reports.

PA 10-1, June Special Session ( 62) made technical corrections to
PA 10-157.

PA 10-117—SAFEGUARDING ELECTRONIC HEALTH INFORMATION

Among numerous other provisions, this act ( 82-90 & 96) establishes the “Health Information Technology Exchange of Connecticut” (the authority) as a quasi-public agency managed by a 20-member board of directors. The board's responsibilities include directing the authority concerning electronic data standards to assist the development of a statewide, integrated electronic health information system for use by health care providers and institutions that receive state funding. The electronic data standards must (among other requirements) (1) include provisions on security and privacy and (2) limit the use and dissemination of an individual's SSN and require its encryption.

The board replaces the Health Information Technology and Exchange (HITE) Advisory Committee.

These provisions were effective upon passage, except for the provision repealing the existing HITE Advisory Committee, which takes effect January 1, 2011.

PA 10-7—INSURANCE AND IDENTITY THEFT

Among other provisions, this act ( 2) requires an insurer of personal risk insurance to consider during its underwriting or rating process or during a review requested by an applicant, an applicant's extraordinary life circumstance. The insurer must do this on an applicant's written request if a circumstance occurred within three years before the application date. If the insurer determines that the applicant's credit history has been adversely impacted by an extraordinary life circumstance, it must grant a reasonable exception to its rates, rating classifications, or underwriting rules for the applicant. The act defines an “extraordinary life circumstance” to include identity theft, among various other circumstances.

The act permits an insurer to require the applicant to provide reasonable, independently verifiable documentation of the extraordinary circumstance and its effect on the applicant's credit report or credit history. It requires an insurer to keep confidential any documentation or information it obtains.

If the insurer grants an exception, it must (1) consider only credit information not affected by the extraordinary circumstance or (2) treat the applicant as if he or she had neutral or better-than-neutral credit information, as defined by the insurer.

An insurer may not be deemed to be out of compliance with any provision of the statutes or regulations concerning underwriting, rating, or rate filing solely based on granting an exception.

These provisions take effect July 1, 2011.

PA 09-239—CRIMES, CREDENTIALS, CIVIL ACTIONS, RECORDS, AND THE PRIVACY PROTECTION GUARANTY AND ENFORCEMENT ACCOUNT

Identity Theft ( 1)

This act expands the definition of “identity theft” by eliminating the requirement that personal identifying information be obtained without permission. Under the act, a person commits identity theft when he or she knowingly uses another's personal identifying information to obtain or attempt to obtain money, credit, goods, services, property, or medical information. Under prior law, a person committed identity theft when he or she intentionally obtained, without permission, another person's personal identifying information and used it to illegally obtain or attempt to obtain money, credit, goods, services, property, or medical information. A violator commits a class D, C, or B felony, depending on the amount involved.

By law, “personal identifying information” for this purpose includes any name, number, or other information that may be used, alone or with any other information, to identify a specific individual. This includes a person's (1) name; (2) birth date; (3) mother's maiden name; (4) motor vehicle operator, Social Security, employee identification, employer identification, taxpayer identification, alien registration, government passport, health insurance identification, demand deposit account, savings account, or credit or debit card number; or (5) unique biometric data, such as a fingerprint, voice print, retina or iris image, or other unique physical representation.

Increased Penalties for Crimes Against Seniors ( 2 & 3)

By law, identity theft in the first degree (a class B felony punishable by one to 20 years' imprisonment, a fine of up to $15,000, or both) is committed when the value of the goods or services is greater than $10,000. The act lowers the threshold to $5,000 if the crime is perpetrated against someone age 60 or older. Identity theft in the second degree (a class C felony punishable by one to 10 years' imprisonment, a fine of up to $10,000, or both) is committed when the value of the goods or services is greater than $5,000 and less than $10,000. The act lowers the threshold to any amount if the crime is perpetrated against someone age 60 or older.

The effect is to raise the penalty for committing identity theft against a senior from a class D to a class C felony when the amount involved is less that $5,000 and from a class C to class B felony when it is more. These provisions are apparently in addition to penalties for larceny (CGS 53a-119).

Criminal Impersonation ( 4)

The act increases the penalty for criminal impersonation from a class B misdemeanor (punishable by up to 6 months' imprisonment, a fine of up to $1,000, or both) to a class A misdemeanor (punishable by up to one year's imprisonment, a fine of up to $2,000, or both).

Unlawful Possession of Personal Information Access Devices ( 5)

The act creates the class A misdemeanor crime of unlawful possession of “personal identifying information access devices.” A person is guilty of committing it when he or she possesses access devices, document-making equipment, or authentication implements to alter, obtain, or use another's personal identifying information. The law already prohibits possession of a scanning device or reencoder under circumstances manifesting intent to use it to commit identity theft.

For this purpose, “access devices” include a card, plate, code, account number, mobile identification number, personal identification number, telecommunication service access equipment, card-reading device, scanning device, reencoder or other means that could be used to access financial resources or obtain financial information, personal identifying information, or another person's benefits.

It is already a crime to (1) fraudulently use an automated teller machine with intent to deprive someone of property or to appropriate property to oneself or a third person and (2) knowingly use in a fraudulent manner an automated teller machine for the purpose of obtaining property (CGS 53a-127b).

Credentials Obtained with False Information ( 6)

The act prohibits obtaining or attempting to obtain a license, registration, or certificate for another by misrepresentation or impersonation. It makes void from the date of issue any credential (1) obtained under these circumstances or (2) issued by the state or a political subdivision based upon an application containing a material false statement. It requires the credential, and any money paid for it, to be surrendered, on demand, to the issuing authority, provided the authority has complied with the notice requirements of the Uniform Administrative Procedure Act (UAPA). These provisions do not limit the power or authority of the state or any political subdivision to seek administrative, legal, or equitable relief. In many cases, such as driver's licenses, the law already makes void a credential issued based on a material false statement (CGS 14-43).

A violator commits a class A misdemeanor.

Civil Action for Damages, Trafficking in Personal Identifying Information, and Statute of Limitations ( 7)

By law, victims of identity theft can bring a civil action for damages against the offender in Superior Court. The act also allows civil actions for damages if the offender was guilty of trafficking in personal identifying information.

The law requires courts to award prevailing plaintiffs the greater of $1,000 or triple damages, costs, and reasonable attorney's fees. The act specifies that damages include documented lost wages and any financial loss the plaintiff suffered as a result of identity theft. Furthermore, it

explicitly allows the court to award other remedies provided by law, including the cost of providing at least two years of commercially available identity theft monitoring and protection.

The act extends the two-year statute of limitations with regard to these cases to three years. By law, the limitation period starts from the date the violation is, or reasonably should have been, discovered.

Correcting Public Records ( 8)

The act requires, rather than allows, a court to issue orders necessary to correct a public record that contains false information due to identity theft when a person is convicted of identity theft. It also applies the requirement to convictions of trafficking in personal identifying information.

Venue for Prosecuting Identity Theft Cases ( 9)

The law allows alleged identity theft offenders to be prosecuted in the Superior Court for the geographical area where the victim lives rather than the area where the crime was allegedly committed. The act specifies that the alleged violator may also be prosecuted in that judicial district or geographical area. It also applies the provision to prosecutions for trafficking in personal identifying information.

Safeguarding Employment Applications ( 10)

The act requires employers to obtain and retain applications in a secure manner and, when disposing of the applications, to employ reasonable measures to destroy or make them unreadable at least by shredding them. An “employer” is an individual, corporation, partnership, or unincorporated association. The requirement does not apply to state agencies or political subdivisions.

A violation is subject to a civil penalty of $500 per violation, not to exceed $500,000 per event. Civil penalties received must be deposited in the Privacy Protection Guaranty and Enforcement Account.

Altered Credentials ( 11)

The act prohibits anyone from physically altering any license, registration, or certificate issued by the state or a political subdivision to conceal or misrepresent a material fact. It makes any credential so altered void from the date of alteration. The act requires the credential to

be surrendered on demand to the issuing authority, provided the authority has complied with the notice requirements of the UAPA. Under the act, any money paid for the credential is forfeited to the issuing authority.

These provisions do not limit the power or authority of the state or any of its political subdivisions to seek administrative, legal, or equitable relief.

A violator commits a class A misdemeanor.

Forfeiture of Proceeds of Identity Theft ( 12)

The act subjects to forfeiture all proceeds, or property derived from the proceeds, obtained, directly or indirectly, from identity theft, trafficking in personal identifying information, unlawful possession of personal information access devices, credentials obtained with false information, and altered credentials. It provides that property is not subject to forfeiture (1) to the extent of an owner's or lienholder's interest if the owner or lienholder did not know and could not have reasonably known that the property was being used, intended to be used, or derived from criminal activity or (2) if it is used, or is intended to be used, to pay legitimate attorney's fees in connection with the defense in a criminal prosecution.

The act establishes procedures for hearings to handle the proceeds from the sale of this forfeited property. The procedures are the same as those in the drug forfeiture law (CGS 54-36h). The proceeds must be used to pay (1) preserved liens; (2) storage, maintenance, security, and forfeiture costs; and (3) court costs. The act requires balances from the following to be deposited in the Privacy Protection Guaranty and

Enforcement Account: sale of property made in connection with a prosecution for identity theft, criminal impersonation, unlawful possession of personal information access devices, making a material misstatement to obtain a credential, and altering a credential.

Violation Revenue ( 13)

PA 09-71 (see below) eliminated the requirement that penalties for violating the duty to safeguard certain personal information be deposited into the Privacy Protection Guaranty and Enforcement Account because the account was not created when the duty to safeguard personal information was established (PA 08-167). This act establishes the account and reestablishes the requirement that penalties for violating the duty to safeguard information be deposited in it.

Penalty for Violating the Restriction Against Disseminating Social Security Numbers ( 14)

The law restricts the dissemination of SSNs and subjects willful violators to a criminal fine of $100 for a first offense, up to $500 for a second offense; and up to $1,000, six months imprisonment, or both, for subsequent offenses. The act also subjects willful violators to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event.

Investigations ( 15)

The act authorizes the Department of Consumer Protection (DCP) commissioner to conduct investigations and hold hearings on violations of laws against misuse or failure to safeguard SSNs, as well as the provisions of the act related to (1) safeguarding employee data, (2) filing documents with DCP containing a false or material misstatement of fact, or (3) DCP regulations adopted in accordance with this act.

The commissioner may (1) issue subpoenas; (2) administer oaths; (3) compel testimony; and (4) order the production of books, records, papers, and documents. If an individual refuses to comply, the Superior Court may make an appropriate order to aid enforcement. The attorney general, at the request of the commissioner or another state agency required to enforce the act's provisions, may apply to the Superior Court for an order temporarily or permanently restraining and enjoining a person from violating the relevant laws.

Privacy Protection Guaranty and Enforcement Account ( 16)

Establishment of Account. The act establishes the Privacy Protection Guaranty and Enforcement Account as a nonlapsing General Fund account and allows it to contain any money the law requires to be deposited in it.

The act requires the DCP commissioner to use the account to (1) reimburse individuals hurt by violations of laws against misuse of or failure to safeguard SSNs, as well as (a) the provisions of the act related to safeguarding employee data, (b) the filing of documents with DCP containing false, untrue, or material misstatements of fact, or (c) DCP regulations adopted in accordance with this act and (2) enforce the above laws and provisions.

Payments to Account. The act requires penalty payments for violating laws and implementing regulations against misuse of or failure to safeguard SSNs, as well as (1) failure to safeguard employee data, (2) filing documents with DCP containing false or material misstatements of fact, or (3) violating DCP regulations set forth in accordance with this act to be credited to the account. The money in the account may be invested or reinvested and any interest earned by the investments must be credited to the account.

Applying for Payment. After someone hurt by a violation of the act's, or implementing regulation's, restriction on disseminating personal identifying information has obtained a court judgment, the individual may apply to the commissioner for a payment from the account for the unpaid amount of the judgment for actual damages and costs, but not for punitive damages. The application must be made on DCP forms and be accompanied by a certified copy of the court judgment and a notarized, signed, and sworn affidavit. The affidavit must affirm that the applicant has:

1. complied with all the application requirements,

2. obtained a judgment, and

3. stated the judgment amount and the amount still owed as of the application date.

The applicant must also cause a writ of execution to be issued on the judgment, and the officer executing it must have made a return showing that it could not be satisfied, that the amount recovered was not enough to satisfy the actual damage portion of the judgment, or the amount realized and the balance remaining. It does not require an applicant who obtained a judgment in small claims court to fulfill these requirements.

The act also requires a true and attested copy of the executing officer's return, when required, to be attached to the application and affidavit.

Applications may be made after the final determination of, or expiration of time for, an appeal in connection with a judgment. The act requires applications for payments to be made before three years have elapsed from the final determination or expiration of time for appeal of the court judgment.

Commissioner's Determination. The act requires the DCP commissioner or his designee to inspect the application and accompanying documents for veracity. Once he determines that they are complete and authentic and that the applicant has not been paid, he must pay the unpaid amount, other than punitive damages, from the account.

Orders of Restitution. The act allows an individual awarded restitution for loss or damages sustained from a violation of the act or implementing regulations in a proceeding brought by the commissioner or the attorney general, to apply for payment of the unpaid amount from the account. The commissioner may make the payment after determining that the individual has not been paid and the time for appeal has passed.

Violator's Right to a Hearing. The act requires the commissioner, before making a payment from the account, to notify the person or entity responsible for the damage caused by disseminating personal information of (1) the application for payment and (2) the person or entity's right to a hearing to contest the disbursement if the person or entity has already paid the applicant.

The act requires the notice to be given within 15 days after the commissioner receives an application for payment. If the person or entity requests a hearing in writing by certified mail within 15 days after receiving the commissioner's notice, the commissioner must conduct a

hearing in accordance with the UAPA. If the commissioner does not receive such a request by certified mail, he must determine that the individual has not been paid and make a payment from the account.

Restitution Hearing. The act allows the commissioner or his designee to proceed for restitution from any person or entity for (1) dissemination of SSNs, (2) failure to safeguard SSNs and employee data, (3) filing false information in documents required by this act, or (4) violating DCP regulations adopted in accordance with this act. Proceedings must be held according to the UAPA. The act requires the commissioner or designee to decide in the course of the hearing whether to order restitution and whether to order payment from the account.

The act allows the commissioner or designee to hear complaints of all individuals submitting claims against a single person or entity in one proceeding.

Exemption from Applicant's Duty to Satisfy Judgment. The act allows the commissioner or his designee to dispense with the requirement that an applicant attempt to execute a judgment if the applicant satisfies the commissioner or designee that (1) it is not practicable, (2) he or she has taken all reasonable steps to collect, and (3) he or she has been unable to collect.

Preserving the Account's Integrity. The act allows the commissioner, in his sole discretion, to pay less than the actual loss or damages or the amount of a court or DCP restitution order to preserve the integrity of the account. It requires the commissioner, when sufficient money has been deposited in the account, to satisfy such unpaid claims.

Account Shortfall. If the money in the account is insufficient to satisfy a claim, the act requires the commissioner to pay unsatisfied claims when enough money has been deposited in the order that such claims were determined.

Subrogation. The act requires individuals to assign to the commissioner the right to recover the amount they have been paid from the fund, plus reasonable interest. Any amount and interest the commissioner recovers on the claim must be deposited in the guaranty account.

Commissioner's Duty to Seek Recovery. If the commissioner pays from the account, the act requires him to determine if the person or entity that caused the injury has assets that could be sold or applied to satisfy the claim. If he discovers any such assets, the act requires the attorney general to take necessary action to reimburse the account.

Commissioner's Authority to Make Repayment Agreements. The act authorizes the commissioner to make repayment agreements where the party agrees to repay the account in full through periodic payments over a set period of time.

False Statements ( 17)

The act establishes a fine of between $500 and $5,000, to be deposited into the privacy protection account, for filing with DCP a notice, statement, or other document required by the act or implementing regulation on dissemination of personal identifying information that is false or includes a material misstatement of fact.

Appeals ( 18)

The act authorizes anyone aggrieved by any decision or order the commissioner makes under the act's or implementing regulation's provisions restricting the dissemination of personal identifying information to appeal in accordance with the UAPA.

Regulations ( 19)

The act authorizes the DCP commissioner to adopt regulations implementing the act's provisions on restricting the dissemination of personal identifying information. It subjects violators of the regulations to the same penalties as violators of the act.

PA 09-71—BANKS AND PERSONAL INFORMATION

By law, anyone possessing personal information about another person must safeguard it and the computer files and documents that contain it. “Personal information” is information that can be associated with an individual through an identifier like a SSN. The law gives each state agency the authority to enforce this provision against its licensees, registrants, or certificate holders. This act gives agencies the authority to enforce the law against holders of charters subject to their supervision, thereby clarifying that the Department of Banking can enforce the provision against banks.

The act also specifies that a financial institution's adoption of safeguards that comply with the federal Gramm-Leach-Bliley Act constitutes compliance with the law on safeguarding personal information. The 1999 federal Gramm-Leach-Bliley Act applies to financial institutions and how they handle nonpublic personal information. It requires federal regulators to establish comprehensive standards for ensuring the security and confidentiality of consumers' personal financial information.

The act eliminates the requirement that monetary penalties for violations of laws safeguarding personal information be deposited into the Privacy Protection Guaranty and Enforcement Account, because the account had not yet been created when the duty to safeguard personal information was established. However, PA 09-239 (see above) establishes the account and reestablishes the requirement that penalties for violating the duty to safeguard information be deposited in the account.

PA 08-184—VITAL RECORDS AND SOCIAL SECURITY NUMBERS

Among numerous other provisions, this act ( 46-49) repeals a provision of PA 08-66 (see below) that required recording the mother's and father's SSN in the confidential portion of the birth certificate and makes a conforming change concerning recording the SSN of the father of a child born out of wedlock. It prohibits releasing a parent's SSN recorded on a birth or fetal death record or certificate to any person or entity that is not authorized by state or federal law (e.g., for child support enforcement).

By law, only specified parties can obtain, access, or examine copies of birth and fetal death records and certificates less than 100 years old. These parties include the child's close relatives; the chief elected official or health director of the town where the birth or fetal death occurred; attorneys representing the child, the child's parents, children, or surviving spouse; genealogists; authorized federal and state officials; and people the Department of Public Health (DPH) specifically authorizes for statistical or research purposes.

The law also provides that it is not to be construed to permit disclosure of any information contained in the “health and statistical use only” and “administrative purposes only” sections of birth or fetal death records to anyone, including these specified parties, unless DPH specifically authorizes disclosure for statistical or research purposes. The act repeals (1) a provision of PA 08-66 that also permitted disclosure

of SSNs and other certificate information from these sections if state or federal law authorized it and (2) a provision of prior law that permitted disclosure of information about the parents' ethnic and racial background regardless of its use.

PA 08-167—DUTY TO SAFEGUARD PERSONAL INFORMATION AND PRIVACY PROTECTION POLICY

The act requires anyone in possession of personal information about another person to safeguard the data and computer files and documents containing it from misuse by third parties and to destroy, erase, or make unreadable any document, computer file, or data before disposing of it. For this purpose, “personal information” means information capable of being associated with a particular individual through one or more identifiers, such as a SSN or driver's license, state identification card, account, credit or debit card, passport, alien registration, or health insurance identification number. It does not include publicly available information lawfully made available from federal, state, or local government records or widely distributed media.

The act requires anyone that collects SSNs in the course of business to create a privacy protection policy that must be published or publicly displayed, which includes posting it on an Internet web page. The policy must ensure confidentiality of SSNs, prohibit their unlawful disclosure, and limit access to them.

The act subjects violators to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event. It provides that a violation is not a violation if it is unintentional. Civil penalties must be deposited into the Privacy Protection Guaranty and Enforcement Account.

For persons and entities that hold a state license, registration, or certificate issued by a state agency other than DCP, the act provides that its provisions restricting the dissemination of SSNs and on safeguarding personal information are enforceable by the agency that issued the credential using its existing statutory and regulatory authority.

The act's requirements do not apply to state agencies and political subdivisions.

PA 08-150—PERSONAL INFORMATION IN MOTOR VEHICLE RECORDS

The law restricts the availability of personal information contained in Department of Motor Vehicles (DMV) records to specific users identified in the law and for explicit purposes. Among numerous other provisions, this act ( 3) makes it a class A misdemeanor for anyone, including any officer, employee, agent, or contractor of the DMV to sell, transfer, or otherwise disclose any personal or highly restricted personal information obtained from DMV files for any unauthorized purpose. By law, personal information includes someone's photograph or digitized image, SSN, license number, name, address other than the zip code, telephone number, or medical or disability information. Highly restricted personal information is under a greater degree of protection from disclosure and includes a picture or digitized image, SSN, and medical or disability information.

The act also explicitly prohibits anyone who receives personal or highly restricted personal information from DMV records from reselling or re-disclosing it for a purpose not authorized under the law or reasonably related to such a purpose. Prior law implied this prohibition but did not explicitly state it.

PA 08-66 —SOCIAL SECURITY NUMBERS ON VITAL RECORDS

Many of the provisions of this act were amended by PA 08-184 (see description under Background below).

Birth and Fetal Death Certificates

Under prior law, parents' SSNs were recorded in the “information for statistical purposes only” section of birth and fetal death certificates, and SSNs on certificates recorded before October 1, 1990 that were less than 100 years old could be disclosed to various parties. These parties included the child's close relatives; the chief elected official or health director of the town where the birth or fetal death occurred; attorneys representing the child, the child's parents, children, or surviving spouse; genealogists; authorized federal and state officials; and people DPH specifically authorized for statistical or research purposes.

The act requires parents' SSNs to be recorded in these forms' confidential section. It specifies that the law governing access to birth and fetal death records and information is not to be construed to permit disclosure of these SSNs, unless authorized by state or federal law or by DPH for statistical or research purposes. By law, information in the confidential section may be used:

1. by DPH or local health directors as authorized by DPH for statistical and health purposes;

2. by local health directors for town-related records; and

3. by the birthing hospital for statistical, health, and quality assurance.

By law, DPH can authorize disclosure of otherwise confidential information in the “information for medical and health use only” and the “information for statistical purposes only” sections for statistical or research purposes. The act also permits disclosure if state or federal law authorizes it for these purposes. In practice neither of these sections is issued with a copy of the certificate.

Marriage and Civil Union Licenses

The act applies existing law governing recording SSNs on marriage licenses to civil union licenses. It requires the SSNs of parties to a civil union to be (1) recorded in the “administrative purposes” section of the

license application and the license and (2) redacted or removed from any copy of a license given to (a) people not otherwise authorized to obtain the number or (b) a state or federal agency that requests one.

For both marriages and civil unions, the act (1) specifies that the officiator's and the local registrar's access to the parties' SSNs is only for processing the license, (2) eliminates the DPH commissioner's ability to authorize other people to have access to the parties' SSNs on the license, and (3) allows only the parties to the marriage or civil union to get a certified copy of the license containing their SSNs.

Death Certificates

The law requires recording decedents' SSNs on the death certificate, but for people who died after December 31, 2001 this information is recorded in an “administrative purposes” section. The act specifies that the people listed on the death certificate, including the funeral director,

embalmer, surviving spouse, conservator, physician, and town clerk can have access to the SSN and other information in the “administrative purposes” section only to process the certificate.

For deaths occurring after July 1, 1997, the act permits:

1. only the surviving spouse or next of kin to get a certified copy of a death certificate with the decedent's SSN or with the complete administrative purposes section and

2. any researcher requesting a certified or uncertified copy of a death certificate to obtain the information in the “administrative purposes” section with the decedent's SSN redacted.

Under prior law, if anyone other than the parties listed on the death certificate asked for a copy the registrar could redact or remove the SSN or omit the administrative purposes section.

Vital Records and Genealogists

The law gives members of genealogical societies that the secretary of the state recognizes full access to all vital records, except certain confidential files. The act adds records containing SSNs protected from disclosure by federal law to those exceptions and requires registrars to redact federally protected SSNs from any certified copy of any vital record they issue to a genealogist.

Background

Provisions Amended by PA 08-184. PA 08-184 amends several provisions of this act. Among other changes, it repeals the provision that requires recording the mother's and father's SSN in the confidential portion of the birth certificate; prohibits releasing a parent's SSN to any person or entity that is not authorized by state or federal law; specifies that the law is not to be construed to permit disclosure of any information contained in the “health and statistical use only” and “administrative purposes only” sections to anyone unless DPH specifically authorizes it for statistical or research purposes; and allows entities authorized by state or federal law to receive marriage, civil union, and death records.

Federal Law. Federal law requires states or their political subdivisions to obtain parents' SSNs in administering their laws governing birth certificate issuance, but it prohibits them from recording this information on the birth certificate (42 U.S.C. 405(c)(2)(C)(ii)). The law also makes confidential any SSNs and related records obtained under any law enacted on or after October 1, 1990 and prohibits state or local officials from disclosing them (42 U.S.C. 405(c)(2)(C)(viii)(I)).

JO:df