PA 08-167—sHB 5658

General Law Committee

Judiciary Committee

AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS

SUMMARY: This act requires anyone possessing personal information about another person to safeguard it and the computer files and documents that contain it. “Personal information” is information that can be associated with an individual through an identifier like a Social Security number.

It requires a business that collects Social Security numbers to create a privacy protection policy that must ensure confidentiality of Social Security numbers.

The act exempts state agencies and political subdivisions from the duty to safeguard personal information.

It subjects violators to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event. It provides that a violation is not a violation if it is unintentional. Civil penalties must be deposited into the Privacy Protection Guaranty and Enforcement Account. (Because legislation establishing the account was not enacted, penalties will presumably be deposited into the General Fund. )

EFFECTIVE DATE: October 1, 2008

DUTY TO SAFEGUARD PERSONAL INFORMATION

The act requires anyone in possession of personal information about another person to safeguard the data and computer files and documents containing it from misuse by third parties and to destroy, erase, or make unreadable any document, computer file, or data before disposing of it. For this purpose, “personal information” means information capable of being associated with a particular individual through one or more identifiers, such as a Social Security number, driver's license number, state identification card number, account number, credit or debit card number, passport number, alien registration number, or health insurance identification number. It does not include publicly available information lawfully made available from federal, state, or local government records or widely distributed media.

PRIVACY PROTECTION POLICIES

The act requires anyone that collects Social Security numbers in the course of business to create a privacy protection policy that must be published or publicly displayed, which includes posting it on an Internet web page. The policy must ensure confidentiality of Social Security numbers, prohibit their unlawful disclosure, and limit access to them.

ENFORCEMENT

For persons and entities that hold a state license, registration, or certificate issued by a state agency other than the Department of Consumer Protection, the act provides that its provisions restricting the dissemination of Social Security numbers and on safeguarding personal information are enforceable by the agency that issued the credential using its existing statutory and regulatory authority.

BACKGROUND

Prohibition Against Publicly Disclosing Social Security Numbers

With certain exceptions, the law prohibits individuals and businesses from publicly disclosing Social Security numbers. The prohibition does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes (CGS 42-470).

The law also prohibits:

1. intentionally communicating or otherwise making available to the general public an individual's Social Security number;

2. printing anyone's Social Security number on a card that the person or entity must use to access the person or entity's products or services;

3. requiring anyone to transmit his or her Social Security number over the Internet, unless the connection is secure or the number is encrypted; or

4. requiring anyone to use his or her Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.

OLR Tracking: DD: VR: PF: ts