November 2, 2011
DISCLOSURE OF SOCIAL SECURITY NUMBERS
By: James Orlando, Associate Analyst
You asked for information on Connecticut laws that prohibit or restrict the use or disclosure of Social Security numbers (SSNs).
Many state laws restrict the disclosure of SSNs in various circumstances. There are restrictions on businesses and other private entities disclosing SSNs, including civil and criminal penalties for violations. The law requires private parties to safeguard other people's SSNs from misuse by third parties and failure to do so can lead to civil penalties. Criminal identity theft can involve the misuse of another person's SSN. Businesses must also disclose if they have been subject to a security breach of computerized data containing SSNs.
The law restricts the disclosure of SSNs by government agencies. Restrictions apply to various vital records (such as marriage licenses and birth and death certificates), voter registration forms, land records, and motor vehicle records, among others. Generally, these provisions restrict who may access government records containing SSNs or specify permissible uses. For example, municipal tax collectors can identify taxpayers by their SSNs, but cannot disclose those SSNs to any other person or state or municipal entity.
Below, we summarize state laws that prevent or limit the way private parties or the government can use or disclose SSNs.
INDIVIDUALS AND BUSINESSES
Disclosure of Social Security Numbers by Individuals and Businesses
With certain exceptions, the law prohibits the public disclosure of SSNs by individuals and businesses, other than the state, state agencies, or the state's political subdivisions. Individuals and businesses may not:
1. intentionally communicate or otherwise make available to the general public an individual's SSN;
2. print anyone's SSN on any card that the person must use to access the person's or entity's products or services;
3. require anyone to transmit his or her SSN over the Internet, unless the connection is secure or the number is encrypted; or
4. require anyone to use his or her SSN to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.
The law does not prevent SSNs from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes.
The penalty for willful violations is (1) up to a $100 criminal fine for a first offense; (2) up to $500 for a second offense; and (3) up to $1,000, six months in prison, or both, for subsequent offenses. Willful violators are also subject to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event (CGS § 42-470).
Safeguarding Personal Information and Privacy Protection Policy
The law requires anyone (other than state agencies or political subdivisions of the state) possessing specified personal information, including SSNs, about another person to safeguard the data and computer files and documents containing it from misuse by third parties and to destroy, erase, or make unreadable any document, computer file, or data before disposing of it. A financial institution's adoption of safeguards that comply with the federal Gramm-Leach-Bliley Act constitutes compliance with this law.
The law also requires anyone (other than state agencies or political subdivisions of the state) that collects SSNs in the course of business to create a privacy protection policy that must be published or publicly displayed, which includes posting it on the Internet. The policy must ensure confidentiality of SSNs, prohibit their unlawful disclosure, and limit access to them.
The law subjects intentional violators to a civil penalty of $500 for each violation, up to a maximum of $500,000 per event.
A state agency, other than the Department of Consumer Protection (DCP), that issues a license, registration, or certificate or supervises a charter can enforce the restrictions on disseminating SSNs and safeguarding personal information against the credential holder under its statutory and regulatory authority (CGS § 42-471).
A person commits identity theft when he or she knowingly uses another person's personal identifying information (including the person's SSN) to obtain or attempt to obtain money, credit, goods, services, property, or medical information without the other person's consent. (PA 11-165 removed the requirement that the perpetrator use the person's name when obtaining or attempting to obtain these items for the action to constitute a crime.) Depending on the age of the victim and the value of the money or goods obtained, identity theft is either a class B felony (punishable by one to 20 years' imprisonment, a fine of up to $15,000, or both) or a class C felony (punishable by one to 10 years' imprisonment, a fine of up to $10,000, or both) (CGS §§ 53a-129a, -129b, -129c).
For more information on recent identity theft legislation, see OLR Report 2010-R-0495.
Misrepresentation as Internet Business
The law prohibits using the Internet or an e-mail message to solicit or induce anyone to provide specified identifying information (including SSNs) by pretending to be an on-line Internet business without the business's authorization. The attorney general or anyone aggrieved by a violation may sue to enforce the law and restrain further violations. The court may award actual damages or $25,000, whichever is greater, for each violation. It may triple the damage award if it determines that the defendant engaged in a pattern and practice of violations. A violation is
also a class D felony (punishable by one to five years' imprisonment, a fine of up to $5,000, or both). Multiple violations committed in the course of a single act constitute a single violation for purposes of the criminal penalty.
An Internet service provider is not liable for identifying, removing, or disabling access to a web page or other on-line location that it believes in good faith is being used to violate the prohibition (CGS § 53-454).
Disclosing Security Breaches of Computerized Data
The law requires anyone who does business in Connecticut and who, in the ordinary course of business, owns, maintains, or licenses computerized data that includes personal information to disclose a breach of security without unreasonable delay to state residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized person. If the business does not own the personal data, it must notify the person who owns or licenses it. “Personal information” includes an individual's first name or initial and last name in combination with other specified data, including the person's SSN.
The law imposes various requirements for the disclosure and public notice of a security breach. For example, businesses must delay public notification for a reasonable time if requested by a law enforcement agency after the agency determines that notification will impede a criminal investigation. The law also sets requirements for the security breach procedures of a business to be deemed in compliance with the law's notification requirements, regardless of the law's provisions on public notification. Failure to comply with these notification requirements constitutes an unfair trade practice (CGS § 36a-701b).
The unfair trade practices law allows the DCP commissioner to issue regulations defining what constitutes an unfair trade practice, investigate complaints, issue cease and desist orders, order restitution in cases involving less than $5,000, enter into consent agreements, ask the attorney general to seek injunctive relief, and accept voluntary statements of compliance. It also allows individuals to sue. Courts may issue restraining orders; award actual and punitive damages, costs, and reasonable attorneys fees; and impose civil penalties of up to $5,000 for willful violations and $25,000 for violation of a restraining order.
GOVERNMENT AGENCIES AND RECORDS
Birth and Fetal Death Certificates. By law, only specified parties can obtain, access, examine, or disclose information contained in copies of birth and fetal death records and certificates less than 100 years old. Information contained in the “information for health and statistical use only” section or the “administrative purposes only” section of a birth certificate can only be disclosed if specifically authorized by the Department of Public Health for statistical or research purposes. The SSNs of the parent or parents listed on any birth certificate cannot be released to any party, except to those people or entities authorized by state or federal law (CGS § 7-51).
The SSN of the father of a child born out of wedlock may be entered on the birth certificate or birth record of the child if done in accordance with federal law (CGS § 7-50).
Marriage Licenses. The SSNs of the parties to a marriage or civil union must be recorded in the “administrative purposes” section of the marriage or civil union license and license application. Anyone specified on the license, including the parties, officiator, and local registrar, has access to the SSNs on the license and application to process the license. Only the parties to a marriage or civil union, or entities authorized by state or federal law, may receive a certified copy of a marriage or civil union license with the SSNs on the license. Any other individual, researcher, or state or federal agency requesting a copy of a marriage or civil union license must be provided a copy with the (1) SSNs removed or redacted or (2) “administrative purposes” section omitted (CGS §§ 7-51a, 46b-25).
Death Certificates. The law requires recording decedents' SSNs on their death certificates, but for people who died after December 31, 2001 this information is recorded in an “administrative purposes” section. The people listed on the death certificate, including the informant, funeral director, embalmer, surviving spouse, conservator, physician, and town clerk have access to the SSN and other information in the “administrative purposes” section only to process the certificate.
For deaths occurring after July 1, 1997:
1. only the surviving spouse, next of kin, or state and federal agencies authorized by federal law may obtain a certified copy of a death certificate with the decedent's SSN or with the complete “administrative purposes” section and
2. any researcher requesting a copy of a death certificate may obtain the information in the “administrative purposes” section with the decedent's SSN redacted (CGS § 7-51a).
Access by Genealogical Societies. Authorized genealogical societies have access to vital records in the custody of any registrar of vital statistics, except for records containing SSNs protected by federal law and confidential files on adoptions, gender change, gestational agreements, and paternity. For all vital records containing SSNs that are protected from disclosure pursuant to federal law, the registrar of vital statistics must redact SSNs contained on the records before issuing certified copies to genealogists (CGS § 7-51a).
Elections and Voter Registration
Voter Registration and Canvass. Prior to 2000, applications for voter registration (including those filed in person, through the Department of Motor Vehicles (DMV), by mail, and by members of the military or overseas voters) and voter canvass forms included a space for individuals to voluntarily provide their SSNs. Any SSNs on such documents filed before January 1, 2000 cannot be disclosed to the public or any government agency (CGS §§ 9-19h, -20, -23h, -26, -32).
Since 2000, mail-in voter registration applications must contain the applicant's Connecticut driver's license number or, if none, the last four digits of the applicant's SSN (CGS § 9-23h). The law specifies that a mail-in application may not be rejected due to the applicant's failure to provide his or her SSN (CGS § 9-23g).
Voter Registry. Registrars of voters may not use SSNs as voter identification numbers on voter registry lists (CGS § 9-35).
Municipal Tax Collectors
Municipal tax collectors may use SSNs to identify taxpayers. However, notwithstanding the Freedom of Information Act, municipal tax collectors must not disclose to any person or state or municipal entity the SSNs provided to them (CGS § 12-148).
Land Records; Recording of Deeds
The law allows anyone whose SSN is on a document that is to be recorded on a municipality's land records to remove it before the document is recorded (CGS § 7-27b).
Town clerks may not record a deed or similar instrument subject to the real estate conveyance tax unless the Revenue Services commissioner has furnished a tax return to the clerk and the tax due on the return has been paid. However, a person can get a deed recorded without putting his or her SSN on the return accompanying the deed (CGS § 12-497).
Nondisclosure of Private Tenant Information in Sale of Public Housing
The law prohibits any entity that buys from a housing authority all or part of a housing project from publicly disclosing a project tenant's SSN or bank account number contained in the lease agreement. It also prohibits a housing authority from disclosing a tenant's SSN or bank account number to any private person, except the purchaser of a housing project that the authority owns, without the tenant's permission. Violators can be fined up to $200 (CGS § 8-64b).
Department of Motor Vehicles Records
The law restricts the disclosure of personal information (including SSNs) contained in DMV records. The DMV may disclose personal information in DMV records to (1) government agencies (or others acting on behalf of such agencies) in carrying out their functions and (2) others who sign and file, under penalty of false statement, a statement (along with supporting documentation or information) that the information will be used only for certain purposes specified in statute (CGS § 14-10(f)(2)).
It is a class A misdemeanor (punishable by up to a $2,000 fine, up to one year imprisonment, or both) to sell, transfer, or otherwise disclose any personal or highly restricted personal information obtained from DMV files for any unauthorized purpose. SSNs are classified as both personal and highly restricted personal information (CGS § 14-10).
Department of Developmental Services Registry of Terminations Due to Abuse or Neglect
The Department of Developmental Services (DDS) must establish and maintain a registry of individuals who have been terminated or separated from employment due to substantiated abuse or neglect. The registry must include the names, addresses, SSNs, and other specified information about the terminated individuals. The law allows DDS to disclose registry information only to specified categories of recipients for designated purposes (CGS § 17a-247b). (PA 11-26 adds charitable organizations to the list of entities that can access the registry; they need the DDS commissioner's approval, and can only access the registry to conduct background checks on volunteers they recruit to support programs for people with intellectual disabilities.)
Department of Social Services
Computerized Management Information System. State agencies that participate in the computerized management information system linking the Department of Social Services (DSS) regional offices and other state agency regional service delivery areas must provide SSNs and other specified information about their clients to other agencies using the system. The law specifies that this client information is exempt from disclosure under the Freedom of Information Act (CGS § 17b-6).
Paternity and Child Support Proceedings. Parties to a paternity or child support proceeding must file location and identification information (including SSNs) with the state case registry when so ordered. Such information cannot be disclosed or otherwise used except in connection with the administration of DSS programs and in accordance with DSS regulations (CGS §§ 17b-90, 46b-218).
There are several requirements concerning the confidentiality of employee information supplied to the Labor Department. For example, employers (except the federal government and state agencies performing intelligence or counterintelligence functions) must provide the Labor Department with the name, address, and SSNs of new employees for the Labor Department's state directory of new hires. With certain exceptions (such as information supplied in connection with child support investigations and specified public assistance programs), this information must remain confidential (CGS § 31-254).
Reports to Bureau of Rehabilitation Services
The law requires physicians and optometrists to report to the Bureau of Rehabilitation Services (BRS) specified information, including SSNs, regarding each blind person coming within their care. (They previously
had to report to the Board of Education and Services for the Blind, which was merged with another entity into BRS by PA 11-44). The reports are not subject to public inspection (CGS § 10-305.)