UPDATED 12/8/08 to correct cap on penalty amount to $500,000
With all the focus this year on minimum wage, 15-year-olds in the workplace, and the like, other less-publicized bills in Connecticut still haven’t received much attention. In an earlier post, I noted that I would update readers on them when the dust settles.
One of them, is Public Act 08-167 (called "An Act Concerning the Confidentiality of Social Security Numbers"), which goes into effect October 1, 2008. You can download the text of this very broad new law here. This new state law requires all businesses that "collect Social Security numbers in the course of business" to safeguard social security numbers, dispose of them properly and create a policy regarding such information. It also requires all "persons" who get "personal information" on one person, to safeguard such information as well. The legislature has summarized the new law here.
As an initial comment, the new law, as drafted, is extremely broad since the "persons" who must safeguard personal information appears to include both companies and individuals. Thus, on its face, it could potentially cover situations in which your neighbor buys items at a tag sale from you and hands you a check with an account number on it. In such a case, the person receiving the check may be responsible for safeguarding the account information. Businesses that collect social security numbers will have additional obligations as well. Because of the broad reach of this statute, employers should also consider the implications of this statute not only on their workforce, but on their customer base as well.
How does this impact employers, in particular?
Because basically all private employers in Connecticut collect social security numbers "in the course of their business", either for insurance purposes or employee verification, this new law appears to apply to them. While the legislative history and Governor Rell’s press release signing the new law doesn’t discuss employers specifically, the broad language of the law covers employers. Until and unless the scope is clarified (to limit the application, for example, to social security numbers collected from customers, rather than employees), employers should pay heed to this law.
So what does the new law require and dictate?
- Create a "Privacy Protection Policy"
This policy must 1) ensure confidentiality of Social Security numbers, 2) prohibit their unlawful disclosure, and, 3) limit access to them.
- Publish or Post the Privacy Policy
While the new law indicates that it should be published or "publicly displayed" including posting on an Internet web page, it seems that in the workplace, this will be satisfied by following the same standards that employers typically follow. Thus, the information can be included in a bulletin board posting, an company intranet, and/or an employee handbook. Distribution to each employee via e-mail or in person may also be appropriate.
- Protect "Personal Information"
The act requires businesses (and thus, employers) who have "personal information" about a person (including their employees) to safeguard the data and computer files and documents so that it isn’t misused by third parties. Employers must also destroy, erase, or make unreadable any document, computer file, or data before disposing of it.
What is considered "Personal Information"? The Act defines it has "information capable of being associated with a particular individual through one or more identifiers".
What are some examples? Social Security number, driver’s license number, state identification card number, account numbers, credit or debit card number, passport number, alien registration number, or health insurance identification number. Presumably, this could also include an employers own internal system for identifying employees. Nothing in the new law prohibits employers from gathering and using this information, however.
What is not "Personal Information"? Any publicly available information lawfully made available from federal, state, or local government records or widely distributed media.
What are the penalties for non-compliance?
At the outset, it is important to note that there is no private right of action; in other words, if an employer violates the statute, they cannot be sued by the individual whose information is released at least under this statute. This does not preclude the employee from raising other contractual or tort claims (such as negligence) that may exist.
The Department of Consumer Protection (and, in some instances, other departments with limited jurisdiction) has the power to enforce the statute. But only intentional violations can result in a civil penalty of $500 per violation, with a $500,000 cap on a single event. Notably, this penalty provision only applies to intentional violations; unintentional violations are specifically excluded.
What can employers and businesses do now?
While there are still several months before the law becomes effective, employers (and all businesses in the state) should start formulating comprehensive data protection policies and procedures to safeguard such information. Many businesses (such as those in the health care field) have started to implement these policies, but the reach of this Act will mean that many others will need to comply.
Workplace Privacy Counsel blog has some additional suggestions on the policy as well. Although the Privacy blog implies (unintentionally) that the law speaks directly about private employers, the law is written much more generally and in broader terms; it applies to all businesses that collect information from consumers as well.