CHAPTER 743dd

PROTECTION OF SOCIAL SECURITY NUMBERS
AND PERSONAL INFORMATION

Table of Contents

Sec. 42-470. Restriction on posting, display, transmission and use of Social Security numbers. Exceptions. Penalties.

Sec. 42-471. Safeguarding of personal information. Social Security numbers. Privacy protection policy. Civil penalty.

Sec. 42-471a. Employment applications to be obtained and retained in secure manner. Penalties.

Sec. 42-472. Hearings. Court orders. Restraining orders.

Sec. 42-472a. Privacy protection guaranty and enforcement account.

Sec. 42-472b. Filing of notice, statement or other document which is false or untrue or contains material misstatement of fact. Fine.

Sec. 42-472c. Appeal of decision or order of Commissioner of Consumer Protection.

Sec. 42-472d. Regulations. Civil penalty.

Secs. 42-473 to 42-479. Reserved


Sec. 42-470. Restriction on posting, display, transmission and use of Social Security numbers. Exceptions. Penalties. (a) For the purposes of this section, “person” means any individual, firm, partnership, association, corporation, limited liability company, organization or other entity, but does not include the state or any political subdivision of the state, or any agency thereof.

(b) Except as provided in subsection (c) of this section, no person shall:

(1) Publicly post or publicly display in any manner an individual’s Social Security number. For the purposes of this subdivision, “publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public;

(2) Print an individual’s Social Security number on any card required for the individual to access products or services provided by such person;

(3) Require an individual to transmit such individual’s Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; or

(4) Require an individual to use such individual’s Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site.

(c) The provisions of subsection (b) of this section shall apply with respect to group and individual health insurance policies providing coverage of the type specified in subdivisions (1), (2), (4), (6), (10) and (12) of section 38a-469 that are delivered, issued for delivery, amended, renewed or continued on and after July 1, 2005.

(d) This section does not prevent the collection, use or release of a Social Security number as required by state or federal law or the use of a Social Security number for internal verification or administrative purposes.

(e) Any person who wilfully violates the provisions of subsection (b) of this section shall be fined not more than one hundred dollars for a first offense and not more than five hundred dollars for a second offense, and shall be fined not more than one thousand dollars or be imprisoned not more than six months, or both, for each subsequent offense.

(f) Any person who wilfully violates the provisions of subsection (b) of this section shall be subject to a civil penalty of five hundred dollars for each such violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event.

(g) All civil penalties received pursuant to subsection (f) of this section shall be deposited into the privacy protection guaranty and enforcement account established under section 42-472a.

(P.A. 03-156, S. 13; P.A. 09-239, S. 14.)

History: P.A. 09-239 removed “on and after January 1, 2005,” in Subsec. (b), added Subsec. (f) re civil penalty and added Subsec. (g) re deposit of civil penalties into privacy protection guaranty and enforcement account.

Sec. 42-471. Safeguarding of personal information. Social Security numbers. Privacy protection policy. Civil penalty. (a) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

(b) Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. For purposes of this subsection, “publicly displayed” includes, but is not limited to, posting on an Internet web page. Such policy shall: (1) Protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

(c) As used in this section, “personal information” means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

(d) For persons who hold a license, registration or certificate issued by, or a charter subject to the supervision of, a state agency other than the Department of Consumer Protection, this section shall be enforceable only by such other state agency pursuant to such other state agency’s existing statutory and regulatory authority.

(e) Any person or entity that violates the provisions of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event. It shall not be a violation of this section if such violation was unintentional.

(f) The provisions of this section shall not apply to any agency or political subdivision of the state.

(g) If a financial institution has adopted safeguards that comply with the standards established pursuant to Section 501(b) of the Gramm-Leach-Bliley Act of 1999, 15 USC 6801, then such compliance shall constitute compliance with the provisions of this section.

(h) Any civil penalties received pursuant to this section shall be deposited into the privacy protection guaranty and enforcement account established pursuant to section 42-472a.

(P.A. 08-167, S. 1; P.A. 09-71, S. 1; 09-239, S. 13.)

History: P.A. 09-71 amended Subsec. (d) by adding “or a charter subject to the supervision of”, deleted former Subsec. (g) re civil penalties and added new Subsec. (g) re safeguards that comply with Gramm-Leach-Bliley Act; P.A. 09-239 added Subsec. (h) re deposit of civil penalties into privacy protection guaranty and enforcement account, effective July 9, 2009.

Sec. 42-471a. Employment applications to be obtained and retained in secure manner. Penalties. (a) Each employer shall obtain and retain employment applications in a secure manner and shall employ reasonable measures to destroy or make unreadable such employment applications upon disposal. Such measures shall, at a minimum, include the shredding or other means of permanent destruction of such employment applications in a secure setting. For purposes of this section, “employer” shall have the meaning prescribed to such term in section 31-128a.

(b) Any person or entity that violates the provisions of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event.

(c) The provisions of this section shall not apply to any agency or political subdivision of the state.

(d) Any civil penalties received pursuant to this section shall be deposited into the privacy protection guaranty and enforcement account established pursuant to section 42-472a.

(P.A. 09-239, S. 10.)

Sec. 42-472. Hearings. Court orders. Restraining orders. (a) Except as otherwise provided in section 42-471, the Commissioner of Consumer Protection may conduct investigations and hold hearings on any matter under the provisions of section 42-470, 42-471, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d. The commissioner may issue subpoenas, administer oaths, compel testimony and order the production of books, records, papers and documents. If any person refuses to appear, testify or produce any book, record, paper or document when so ordered, upon application of the commissioner, the Superior Court may make such order as may be appropriate to aid in the enforcement of this section.

(b) (1) The Attorney General, at the request of the Commissioner of Consumer Protection, may apply to the Superior Court for an order temporarily or permanently restraining and enjoining any person from violating any provision of section 42-470, 42-471, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d.

(2) The Attorney General, at the request of any other state agency charged with enforcement of section 42-471 pursuant to subsection (d) of said section, may apply to the Superior Court for an order temporarily or permanently restraining and enjoining any person from violating any provision of section 42-471.

(P.A. 09-239, S. 15.)

History: P.A. 09-239 effective July 9, 2009.

Sec. 42-472a. Privacy protection guaranty and enforcement account. (a) There is established a “privacy protection guaranty and enforcement account” which shall be a nonlapsing account within the General Fund. The account may contain any moneys required by law to be deposited in the account. The account shall be used by the Commissioner of Consumer Protection: (1) For the reimbursement of losses sustained by individuals injured by a violation of the provisions of section 42-470, 42-471, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d, and (2) for the enforcement of provisions of section 42-470, 42-471, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d.

(b) Payments received pursuant to section 42-470, 42-471, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d, shall be credited to the privacy protection guaranty and enforcement account. Any money in the privacy protection guaranty and enforcement account may be invested or reinvested and any interest arising from such investments shall be credited to said account.

(c) Whenever an individual obtains a court judgment against any person or entity for a violation of section 42-470, 42-471, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d, such individual may, upon the final determination of, or expiration of time for appeal in connection with any such judgment, apply to the Commissioner of Consumer Protection for an order directing payment out of said account of the amount unpaid upon the judgment for actual damages and costs taxed by the court against the person or entity, exclusive of punitive damages. The application shall be made on forms provided by the commissioner and shall be accompanied by a certified copy of the court judgment obtained against the person or entity, together with a notarized affidavit, signed and sworn to by the individual, affirming that the individual: (1) Has complied with all the requirements of this subsection; (2) has obtained a judgment stating the amount thereof and the amount owing thereon at the date of application; and (3) except for a judgment obtained by the individual in small claims court, has caused to be issued a writ of execution upon such judgment, and the officer executing the same has made a return showing that no bank accounts or real property of the person or entity liable to be levied upon in satisfaction of the judgment could be found, or that the amount realized on the sale of them or of such of them as were found, under the execution, was insufficient to satisfy the actual damage portion of the judgment, or stating the amount realized and the balance remaining due on the judgment after application thereon of the amount realized. A true and attested copy of such executing officer’s return, when required, shall be attached to such application and affidavit.

(d) Upon receipt of such application together with such certified copy of the court judgment, notarized affidavit and true and attested copy of the executing officer’s return, when required, the commissioner or the commissioner’s designee shall inspect such documents for their veracity and upon a determination that such documents are complete and authentic, and a determination that the individual has not been paid, the commissioner shall order payment out of said account of the amount unpaid upon the judgment for actual damages and costs taxed by the court against the person or entity, exclusive of punitive damages.

(e) Whenever an individual is awarded an order of restitution against any person or entity for loss or damages sustained by reason of a violation of section 42-470, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d in a proceeding brought by the Attorney General at the request of the commissioner pursuant to section 42-470 or 42-471 or in a proceeding brought by the Attorney General, such individual may, upon the final determination of, or expiration of time for appeal in connection with any such order of restitution, apply to the commissioner for an order directing payment out of said account of the amount unpaid upon the order of restitution. The commissioner may issue such order upon a determination that the individual has not been paid.

(f) Before the commissioner shall issue any order directing payment out of the account to an individual pursuant to this section, the commissioner shall first notify the person or entity of the individual’s application for an order directing payment out of the account and of the person or entity’s right to a hearing to contest the disbursement in the event that the person or entity has already paid the individual. Such notice shall be given to the person or entity not later than fifteen days after the receipt by the commissioner of the individual’s application for an order directing payment out of said account. If the person or entity requests a hearing in writing by certified mail not later than fifteen days after receipt of the notice from the commissioner, the commissioner shall grant such request and shall conduct a hearing in accordance with the provisions of chapter 54. If the commissioner receives no written request by certified mail from the person or entity for a hearing not later than fifteen days after the person’s or entity’s receipt of such notice, the commissioner shall determine that the individual has not been paid, and the commissioner shall issue an order directing payment out of said account for the amount unpaid upon the judgment for actual damages and costs taxed by the court against the person or entity, exclusive of punitive damages, or for the amount unpaid upon the order of restitution.

(g) The commissioner or the commissioner’s designee may proceed against any person or entity for an order of restitution arising from loss or damages sustained by any individual by reason of such person’s or entity’s violation of any of the provisions of section 42-470, 42-471, 42-471a or 42-472b or any regulation adopted pursuant to section 42-472d. Any such proceeding shall be held in accordance with the provisions of chapter 54. In the course of such proceeding, the commissioner or the commissioner’s designee shall decide whether to order restitution arising from such loss or damages, and whether to order payment out of said account. The commissioner or the commissioner’s designee may hear complaints of all individuals submitting claims against a single person or entity in one proceeding.

(h) No application for an order directing payment out of said account shall be made later than three years from the final determination of or expiration of time for appeal in connection with any judgment or order of restitution.

(i) Whenever an individual satisfies the commissioner or the commissioner’s designee that it is not practicable to comply with the requirements of subdivision (3) of subsection (c) of this section and that the individual has taken all reasonable steps to collect the amount of the judgment or the unsatisfied part thereof and has been unable to collect the same, said commissioner or said designee may, in his or her discretion, dispense with the necessity for complying with such requirement.

(j) In order to preserve the integrity of said account, the commissioner, in his or her sole discretion, may order payment out of said account of an amount less than the actual loss or damages incurred by the individual or less than the order of restitution awarded by the commissioner or the Superior Court.

(k) If the money deposited in said account is insufficient to satisfy any duly authorized claim or portion thereof, the commissioner shall, when sufficient money has been deposited in the account, satisfy such unpaid claims or portions thereof, in the order that such claims or portions thereof were originally determined.

(l) When the commissioner has caused any sum to be paid from said account to an individual, the commissioner shall be subrogated to all of the rights of the individual up to the amount paid plus reasonable interest, and prior to receipt of any payment from said account, the individual shall assign all of this right, title and interest in the claim up to such amount to the commissioner, and any amount and interest recovered by the commissioner on the claim shall be deposited in said account.

(m) If the commissioner orders the payment of any amount as a result of a claim against any party, said commissioner shall determine if the person or entity is possessed of assets liable to be sold or applied in satisfaction of the claim on said account. If the commissioner discovers any such assets, the Attorney General shall take any action necessary for the reimbursement of said account.

(n) If the commissioner orders the payment of an amount as a result of a claim against any party, said commissioner may enter into an agreement with the party whereby the party agrees to repay said account in full in the form of periodic payments over a set period of time.

(P.A. 09-239, S. 16.)

History: P.A. 09-239 effective July 9, 2009.

Sec. 42-472b. Filing of notice, statement or other document which is false or untrue or contains material misstatement of fact. Fine. Any person filing with the Commissioner of Consumer Protection any notice, statement or other document required under the provisions of section 42-470, 42-471, 42-471a or 42-472 to 42-472c, inclusive, or of any regulation adopted pursuant to section 42-472d, which is false or untrue or contains any material misstatement of fact shall be fined not less than five hundred dollars nor more than five thousand dollars for each violation. All fines received pursuant to this section shall be deposited in the privacy protection guaranty and enforcement account established pursuant to section 42-472a.

(P.A. 09-239, S. 17.)

Sec. 42-472c. Appeal of decision or order of Commissioner of Consumer Protection. Any person aggrieved by any decision or order of the Commissioner of Consumer Protection pursuant to section 42-470 or 42-471, as applicable, section 42-471a, sections 42-472 to 42-472c, inclusive, or any regulation adopted pursuant to section 42-472d, may appeal in accordance with the provisions of chapter 54.

(P.A. 09-239, S. 18.)

History: P.A. 09-239 effective July 9, 2009.

Sec. 42-472d. Regulations. Civil penalty. (a) The Commissioner of Consumer Protection may adopt regulations, in accordance with the provisions of chapter 54, to carry out the provisions of section 42-470 or 42-471, as applicable, section 42-471a or sections 42-472 to 42-472c, inclusive.

(b) Any person who wilfully violates the provisions of any regulation adopted by the commissioner pursuant to subsection (a) of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such penalty shall not exceed five hundred thousand dollars for any single event.

(c) All civil penalties received pursuant to subsection (b) of this section shall be deposited into the privacy protection guaranty and enforcement account established under section 42-472a.

(P.A. 09-239, S. 19.)

History: P.A. 09-239 effective July 9, 2009.

Secs. 42-473 to 42-479. Reserved for future use.