A host of state laws require that companies take measures to protect the confidentiality of the Social Security Numbers that they possess regarding employees and consumers. But Connecticut’s new law, “AN ACT CONCERNING THE CONFIDENTIALITY OF SOCIAL SECURITY NUMBERS,” requires more. 

Connecticut is at least the third state to do so (after Michigan and Texas). In addition to the requirements that have become common among state laws (e.g., requirements to safeguard SSNs and to dispose of them in a secure fashion), Connecticut’s new law also requires that companies create, and publish to the public, a policy that protects the confidentiality of SSNs, prohibits their unlawful disclosure, and limits access to them. According to the Act, one way that the policy may be published is by posting it on an Internet Web page.

A company that intentionally violates Connecticut’s new law is subject to a civil penalty of $500 per violation, not to exceed $500,000 for any single event. In addition, if a company publishes a policy and then does not comply with it, the company could be subject to an action by the Federal Trade Commission, a state attorney general, or even an individual or class of individuals, for deceptive trade practices, consumer protection violations, and/or fraud.

Many states have Social Security Number protection laws that require companies to take measures to protect the Social Security Numbers that they possess in the course of their business. For example, many states prohibit companies from including full Social Security Numbers in mailings and from transmitting Social Security Numbers, unencrypted, over a public network (such as via unencrypted e-mail). Increasingly more states are adopting Social Security Number protection laws at a rapid pace. 

All companies should have Social Security Number protection policies that are designed to bring about compliance with these laws and the protection of Social Security Numbers from compromise. In the few states where these policies are required to be published, companies must do so, and should appreciate the additional legal exposure that goes along with publishing its policy to the world. In many cases (as in the case of Web site privacy policies), published policies are legally construed as enforceable commitments as to the company’s practices.

Connecticut’s Act becomes effective on October 1, 2008.