California Employers Face New Restrictions on the Use of Social Security Numbers
A recently-enacted California law imposes new restrictions on the use of Social Security numbers for identification purposes. The legislation ("SB 168") aims to combat identity theft with a two-pronged approach that creates broader rights for consumers with respect to their credit reports while limiting the use of Social Security numbers. While not specifically directed at employers, SB 168 can have significant ramifications for employers who rely on Social Security numbers for identification purposes.
Effective July 1, 2002, SB 168 amends the California Civil Code to provide, in section 1798.85, that no person or entity shall:
- publicly post or publicly display in any manner an individual's Social Security number;
- print an individual's Social Security number on any card required for the individual to access products or services provided by the person or entity;
- require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted;
- require an individual to use his or her Social Security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Web site; or
- print an individual's Social Security number on any materials that are mailed to the individual, unless state or federal law requires the Social Security number to appear on the document to be mailed. Notwithstanding this provision, applications and forms sent by mail may include Social Security numbers.
While the scope of the law appears broad, there are a number of exceptions and exemptions. The legislation does not prohibit the use of a Social Security number for internal verification or administrative purposes, nor does it prohibit the collection, use or release of Social Security numbers as required by state or federal law. It also does not apply to documents that are recorded or required to be open to the public. The law does not apply to state and local agencies.
A "safe harbor" provision permits persons and entities with conflicting policies that predate SB 168's effective date of July 1, 2002, to continue to use individuals' Social Security numbers under those policies, provided all of the following conditions are met:
- use of the Social Security number is continuous;
- annual disclosures are made to individuals advising them of their right to stop the use of their Social Security number under the statute;
- written requests by individuals to stop the use of their Social Security numbers are implemented without charge within 30 days of receipt of the request; and
- services are not denied to an individual because the individual has made a written request to stop the use of his or her Social Security number.
Because the safe harbor provision requires that use of an individual's Social Security number under a non-compliant policy be "continuous" to be exempt, if the employer stops the practice for any reason, the safe harbor is lost and the employer must comply with the more stringent provisions of the new law.
Special provisions apply to health-care providers and related industries that allow SB 168's requirements to be phased in between 2003 and 2005, because of the widespread use of Social Security numbers by insurers, hospitals, pharmacies, and other providers.
Employers are advised to conduct a thorough review of the manner in which Social Security numbers are used, prior to July 1, 2002, to determine whether such use complies with the requirements of SB 168 and whether the safe harbor provision is applicable. The use of Social Security numbers for internal verification and administrative purposes is specifically permitted, but care must be taken to assure that these practices do not conflict with other provisions of the law concerning public displays and posting, Internet transmissions, and documents mailed to employees. For example, it would be permissible for human resources employees to access confidential personnel records in a database via an employee's Social Security number, but printing an employee's Social Security number on an identification badge or timecard would not be allowed unless the employer complied with the safe harbor provisions. Employers should consider replacing Social Security-based identifiers with unique employee numbers issued sequentially based on date of hire.
Finally, employers who intend to continue using Social Security numbers under the safe harbor provision must make arrangements to provide the required annual disclosures and to allow individuals to request that their Social Security numbers not be used. Any new practices with respect to Social Security numbers implemented after July 1, 2002, must comply with the provisions of Civil Code section 1798.85.