California Limits Disclosure of Social Security Numbers

1
California Limits Disclosure of Social Security
Numbers

• Brian Conner
• Management 610

2
Overview

• Identify theft is becoming increasingly common
• California Senate Bill 168 passed that modifies
  CA Civil Code Section 1798.85
• Limits how Social Security Numbers can be used by
  a business or non-governmental entity

3
Summary

• Applies to businesses and other non-governmental
  entities doing business in California
• For all accounts opened since 7/1/2002
• For health care/insurance (not self insured)
• 1/1/03 all requirements except ID cards
• 7/1/05 ALL requirements

4
Prohibitions

• Printing SSNs on ID cards or badges required for
  the individual to access products or services
  (insurance cards, employee badges, etc.)
• Printing SSNs on documents mailed to customers,
  unless the law requires it or is a form or
  application (unless required by law or is a
  form/application)

5
Prohibitions

• Publicly posting or displaying an SSN
• Requiring people to use an SSN to log onto a
  website, unless a password is also used
• Requiring people to send SSNs over the internet,
  unless the connection is secure or the number is
  encrypted

6
Exceptions to Prohibitions

• May continue to use existing SSNs in the same
  manner if
• Use of the SSN is continuous. If stopped for any
  reason, its use may not be resumed
• Individual is given an annual disclosure that
  they have right to stop noncompliant use
• Any request to discontinue noncompliant use must
  be honored within 30 days

7
Common Employer Uses of SSNs

• Employee ID Cards
• Consider creating an alternative identifier
• Requiring use of SSNs to access benefits
• information on the Internet
• Make sure password is used, is encrypted
• Mailing quarterly benefits statements
• Consider creating an alternative identifier

8
Common Employer Uses of SSNs

• Mailing an EOB when a medical claim is submitted
• Consider creating an alternative identifier
• Personnel documents
• Can still use SSN for internal
  verification/administrative purposes (should
  control access to records)

9
Common Employer Uses of SSNs

• Posting SSNs on employee rosters
• Cannot display SSN, show partial?
• Inclusion of SSN on check stubs or
• semi-monthly statement
• Required by state law, OK

10
Pros and Cons

• Pros Protecting sensitive employee data, reduce
  likelihood of identity theft and associated
  business/employee costs
• Cons Cost of changing business processes and/or
  systems, have to interpret the ambiguities within
  the law, potential liability

11
Court Action

• Very little, if any, court action so far
• With ambiguities in current law, just wait!
• Identity theft
• Woman almost lost children to CPS

12
Recommendations

• Only use SSN when reasonably necessary for
  administration or when required by federal or
  state law
• Look into creating an alternative identifier
• If SSN does need to be used, communicate to
  employees the intended purpose consequence for
  not providing it

13
Recommendations

• Comply with the annual disclosure requirement for
  those who were using SSNs prior to 7/1/2002 in a
  manner now prohibited and are continuing to do so
• Develop written security plan
• Limit access to records, internet
  passwords/encryption, shred documents

14
Recommendations

• Eliminate public displays of SSNs by
• Not putting them on documents widely seen by
  others (badges, rosters, etc.)
• Not mailing documents with SSN except on
  applications or forms or if reqd by law
• Leaving SSN field on forms blank and have the
  individual fill it in before returning it

15
Conclusion

• Any Questions?