Legal Updates

MARCH 2005

Social Security Number Privacy

There have been daily new reports of identity theft and security breaches involving social security numbers which can be used for identity theft. In an attempt to combat this problem, the Michigan legislature enacted the Social Security Privacy Act of 2004, which curtails the circumstances in which employers are permitted to use social security numbers. This law is effective as of March 1, 2005. All Michigan employers need to examine their current use of social security numbers to ensure that they are in compliance with this new law.

To Whom does the Act Apply?
The Act applies to all “persons.” The definition of “persons” includes individuals, partnerships, limited liability companies, associations, corporations, public or nonpublic elementary or secondary schools, trade schools, vocational schools, community or junior colleges, colleges, universities, state or local governmental agencies or departments, and any other legal entity. Accordingly, all Michigan employers need to comply with the Social Security Privacy Act.

What does the Act Prohibit
The Social Security Privacy Act is primarily aimed at prohibiting the display of social security numbers on accounts, health insurance cards, identification cards, and badges. The Act prohibits the “public display” of more that 4 sequential digits of the social security number of an employee, student, or other individual on an account. The Act also prohibits a person from visibly printing more than four sequential digits of a social security number on any identification badge or card, membership card, permit, or license. This portion of the Act is effective March 1, 2005 unless the person establishes a specific date on or before January 6, 2006, by which it will comply with this subdivision.

An individual also cannot be required to transmit more than four sequential digits of his or her social security number over the internet or a computer system network or to gain access to an internet website unless encryption and other security measures are taken.

Companies must be careful that no more than four sequential digits of an individual’s social security number be displayed in or on any document or information mailed or otherwise sent to an individual if it is visible from outside of the envelope or packaging. Also, effective January 1, 2006, a company may not include more than four sequential digits of an individual’s social security number in any document mailed to a person, except in narrowly defined circumstances such as when it is required or authorized by State or federal law, rule, regulation, court order or court rule; the document is sent as part of an application or enrollment process initiated by the individual, or the document is sent to establish, confirm the status of, service, amend, or terminate an account, contract, policy, or employee or health insurance benefit or to confirm the accuracy of a social security number of an individual who has an account, contract, policy, or employee or health insurance benefit. There are some additional exemptions.

Privacy Policy
By January 1, 2006, all persons who obtain one or more social security numbers in the ordinary course of business must create a privacy policy, which addresses the following:

Ensures the confidentiality of the social security numbers.
Prohibits unlawful disclosure of social security numbers.
Limits who has access to information or documents that contain the social security numbers
Describes how to properly dispose of documents that contain social security numbers.
Establishes penalties for violation of the privacy policy.

The privacy policy must be in the employer’s employee handbook, procedures manual, or in one or more similar documents. Such documents may be made available electronically.

Employers need to take compliance with the Social Security Privacy Act seriously. The Act provides for civil and criminal penalties for non-compliance. If you have questions regarding social security privacy or other privacy issues contact legal counsel.