CHAPTER 743dd
PROTECTION OF SOCIAL SECURITY NUMBERS
AND PERSONAL INFORMATION

      Sec. 42-470. Restriction on display and use of Social Security number. (a) For the purposes of this section, "person" means any individual, firm, partnership, association, corporation, limited liability company, organization or other entity, but does not include the state or any political subdivision of the state, or any agency thereof.

      (b) Except as provided in subsection (c) of this section, on and after January 1, 2005, no person shall:

      (1) Publicly post or publicly display in any manner an individual's Social Security number. For the purposes of this subdivision, "publicly post" or "publicly display" means to intentionally communicate or otherwise make available to the general public;

      (2) Print an individual's Social Security number on any card required for the individual to access products or services provided by such person;

      (3) Require an individual to transmit such individual's Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted; or

      (4) Require an individual to use such individual's Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication device is also required to access the Internet web site.

      (c) The provisions of subsection (b) of this section shall apply with respect to group and individual health insurance policies providing coverage of the type specified in subdivisions (1), (2), (4), (6), (10) and (12) of section 38a-469 that are delivered, issued for delivery, amended, renewed or continued on and after July 1, 2005.

      (d) This section does not prevent the collection, use or release of a Social Security number as required by state or federal law or the use of a Social Security number for internal verification or administrative purposes.

      (e) Any person who wilfully violates the provisions of subsection (b) of this section shall be fined not more than one hundred dollars for a first offense and not more than five hundred dollars for a second offense, and shall be fined not more than one thousand dollars or be imprisoned not more than six months, or both, for each subsequent offense.

      (P.A. 03-156, S. 13.)

      Sec. 42-471. Safeguarding of personal information. Social Security numbers. Privacy protection policy. Civil penalty. (a) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

      (b) Any person who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. For purposes of this subsection, "publicly displayed" includes, but is not limited to, posting on an Internet web page. Such policy shall: (1) Protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

      (c) As used in this section, "personal information" means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

      (d) For persons who hold a license, registration or certificate issued by a state agency other than the Department of Consumer Protection, this section shall be enforceable only by such other state agency pursuant to such other state agency's existing statutory and regulatory authority.

      (e) Any person or entity that violates the provisions of this section shall be subject to a civil penalty of five hundred dollars for each violation, provided such civil penalty shall not exceed five hundred thousand dollars for any single event. It shall not be a violation of this section if such violation was unintentional.

      (f) The provisions of this section shall not apply to any agency or political subdivision of the state.

      (g) Any civil penalties received pursuant to this section shall be deposited into the privacy protection guaranty and enforcement account established pursuant to section 19 of substitute senate bill 30 of the February 2008, regular session*.

      (P.A. 08-167, S. 1.)

      *Note: Substitute senate bill 30 of the February 2008, regular session did not become law.

      Secs. 42-472 to 42-479. Reserved for future use.