Don’t say you weren’t warned.
Back in June, I had a detailed post about a new state law that will require many companies to enact measures to protect Social Security numbers and other typers of "personal information".
The new law, Public Act 08-167 (called "An Act Concerning the Confidentiality of Social Security Numbers"), is just a week away from in effective date of October 1, 2008. You can download the text of this very broad new law here.
This new state law requires all businesses that "collect Social Security numbers in the course of business" to safeguard social security numbers, dispose of them properly and create a policy regarding such information. It also requires all "persons" who get "personal information" on one person, to safeguard such information as well.
So, what do companies and employers need to be thinking about now?
- Create a "Privacy Protection Policy"
This policy must 1) ensure confidentiality of Social Security numbers, 2) prohibit their unlawful disclosure, and, 3) limit access to them.
- Publish or Post the Privacy Policy
- Protect "Personal Information"
What is considered "Personal Information"? The Act defines it has "information capable of being associated with a particular individual through one or more identifiers".
What are some examples? Social Security number, driver’s license number, state identification card number, account numbers, credit or debit card number, passport number, alien registration number, or health insurance identification number. Presumably, this could also include an employers own internal system for identifying employees. Nothing in the new law prohibits employers from gathering and using this information, however.
What is not "Personal Information"? Any publicly available information lawfully made available from federal, state, or local government records or widely distributed media.
There’s still time to get ready. Adoping such policies and procedures and consulting with counsel about this is the still the easiest way to avoid the penalties later on.