Employment Law 2

Consumer Privacy: California Limits Disclosure of an Individual’s Social Security Number
by Ronald Souza

Ronald Souza is a partner in the firm of Epstein, Becker & Green, San Francisco, which specializes in counseling and defending employers in litigation matters. He is a graduate of the University of Santa Clara (cum laude) and a member of the American Board of Trial Advocates (ABOTA). He occasionally sits as San Francisco Superior Court Judge Pro Tem and is a frequent writer and speaker for CEB publications and seminars.

On July 1, 2002, a new California law took effect limiting the use and disclosure of an individual’s Social Security number (SSN). The law, which affects any individual or nongovernmental entity doing business in California, is intended to stop identity theft and restrain consumer credit reporting agencies that are accessing personal information through Social Security numbers—a prime vehicle for gaining personal information.

Prohibitions on the Use of Social Security Numbers
Civil Code §1798.85(a)(1)-(5) prohibits the use of an individual’s SSN as follows:

1. A person or entity may not publicly post or display an individual’s SSN. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public.
2. A person or entity may not print an individual’s SSN on any card required for the individual to access products or services (i.e., insurance cards, employee badges, etc.).
3. A person or entity may not require an individual to transmit his or her SSN over the Internet unless the connection is secure or the SSN is encrypted. (One would have to look to current industry standards to determine what is “secure.”)
4. A person or entity may not require an individual to use his or her SSN to access an Internet website, unless a password or other authentication device must also be used to access the site.
5. A person or entity may not print an individual’s SSN on any materials that are mailed to the individual, unless state or federal law requires the SSN to be on the document.

The new law does not prevent the collection, use or release of an SSN if required by state or federal law, or the use of an SSN for internal verification or administrative purposes. CC §1798.85(d).

Exceptions to the Prohibitions on the Use of SSNs

There are two exceptions to the prohibitions set forth in the statute. The first applies to anyone who, before July 1, 2002, was using SSNs in a manner inconsistent with the new law. (Note: the law has a phased in compliance schedule for entities providing health care or insurance, which is to be completed by July 2005.) They may continue to use the SSNs in the same manner if all of the following conditions are met:

Exception 1:
(a) The use of the SSN is continuous. If stopped for any reason, its use may not be resumed;
(b) The individual is given an annual disclosure (beginning immediately) that he or she has the right to make a written request to stop the use of his or her SSN in a prohibited manner. An entity may enumerate the general types of prohibited uses it is engaging in. The annual disclosure must tell the individual that he or she has a right to stop the use of the SSN in the prohibited manner;
(c) Any request to discontinue noncompliant use of an individual’s SSN must be honored within 30 days; and
(d) There can be no fee for honoring the request, or denial of services because of it.

Exception 2:
The second exception is to the prohibition on the printing of an individual’s SSN on materials that are mailed to the individual. An exception is made for “applications and forms” sent by mail. Although the statute does not define “applications and forms,” it is likely that the use of SSNs on applications and forms that a person fills out and sends in, for example, to make a choice, request a service, or order a product would be permissible under this exception.

Common Employer Uses of SSNs

This new law will likely have the greatest impact on employers and health care providers. (Note: the law provides unique requirements to health care providers, which are beyond the scope of this article). The following are some of the common uses of SSNs by employers:

1. Employee ID cards.
Where employee ID cards or health insurance cards contain the employee’s SSN, employers should consider creating a personal identifier to substitute for the SSN.
2. Requiring use of SSNs for access to benefits information via intranet/Internet sites.
An individual may be required to use his or her SSN to access an internet website if: (1) an additional password or other authentication device is also used to access the site; and (2) the SSN is encrypted or the connection is secure.
3. Mailing quarterly benefit statements containing an employee’s SSN to employees who participate in the employer’s 401(k) plan.
Employers should consider creating a personal identifier to substitute for the SSN.
4. Mailing an explanation of benefits (“EOB”) to an employee when a medical plan claim is submitted, or mailing benefit plan enrollment materials.
Employers should consider creating a personal identifier to substitute for the SSN.
5. Posting SSNs on employee rosters.
This would violate the prohibition on publicly posting or displaying an individual’s SSN.
6. Inclusion of SSNs on final paycheck stubs.
Since inclusion of the SSN on each wage payment is required by state law (Lab C §26), this practice does not violate the new law.
7. Other personnel documents.
The law does not prevent the collection, use or release of an SSN for internal verification or administrative purposes.

General Recommendations for Organizations to Avoid Violation of California Civil Code Section 1798.85

The California Department of Consumer Affairs’ Office of Privacy Protection, whose purpose is to protect the privacy of individuals’ personal information, is directed by law to make recommendations to organizations for privacy policies and practices to ensure the protection of California consumers’ interests. The department recently issued guidelines for organizations to assist them in protecting the confidentiality of individuals’ SSNs. These practices address the provisions of CC §1798.85. Pursuant to the guidelines, it is recommended that individuals and nongovernmental entities implement the following procedures and practices with respect to all SSNs in their possession belonging to their employees, customers, business partners or other individuals:

• Reduce the collection of SSNs by either collecting them only when required by state or federal law, or doing so only as reasonably necessary for the proper administration of lawful business activities.
  
• Create a personal identifier to substitute for the SSN if a unique personal identifier is needed.
  
• When collecting SSNs notify the individuals of the intended purpose for their use of their SSNs; the intended use; when the law requires the number to be provided or not; and the consequences of not providing the number.
  
• Comply with the annual disclosure requirement (for those who were using SSNs prior to July 1, 2002 in a manner now prohibited by the statute and are continuing to do so).
  
• Eliminate public displays of SSNs.
  
• Do not send SSNs by e-mail and do not require individuals to send their SSNs by e-mail or over the Internet unless the connection is secure or the SSN is encrypted.
  
• Do not require individuals to use SSNs as passwords or codes for access to Internet web sites or other services.
  
• Control access to SSNs.

Although the above recommendations are merely guidelines, individuals and organizations that implement the recommended policies and procedures will likely have a greater chance of success in avoiding violations of this new California law.

Federal Laws and Laws in Other States

The California law limiting the use of SSNs is the first of its kind and could affect the development of similar laws in other states and federal laws. Congress has nearly a dozen bills pending that would restrict the use of Social Security numbers. Senators Dianne Feinstein and Judd Gregg are sponsoring one bill that would prohibit anyone from selling or displaying an SSN without the cardholder’s consent. That bill is seen as the leading measure, but according to privacy and trade group observers, Congress is not expected to act on any of these bills this year.

Certainly, the extent of the impact of this new California law remains to be seen. However, the potential impact of this law and similar laws that may follow on individuals and entities throughout the country is great in that they may be required to change the systems used throughout their entire organizations to access or transmit personal, business, human resources, payroll or other information key to their operations.

Mr. Souza will be a panelist at the Anaheim, Sacramento, and San Francisco sessions of this CEB program

Privacy in the Workplace

Information technology, from e-mail and voice mail, to access to the Internet, while allowing employees in the modern economy to be productive, also affords employers greater ability to monitor the conduct of those same employees. How far can an employer go in monitoring its employees? And what reasonable expectation of privacy does an employee have in today’s wired world?
Top employment law specialists will address these questions and more in this all new program. Panelists will discuss both the common law bases of employee privacy and address recent California and Federal statutory enactments that impact an employer’s right to know what employees are doing.
If you represent employers or employees, or if you are an employer or employee, this program is not to be missed.