When Social Security Numbers were initially issued in 1936 as part of the New Deal Social Security program, few could foresee that this nine digit number would evolve beyond its limited purpose to become a universal identifier replete with privacy and identity theft implications. More and more, government agencies and private entities have required the disclosure of individuals SSNs to extend their services. While the Privacy Act of 1974 largely addressed the collection and dissemination of SSNs by and among federal government agencies, state law has governed such uses by private entities. This month Governor Andrew Cuomo signed legislation A.8992 to strengthen protection of SSNs by limiting the instances where persons and businesses are allowed to require New Yorkers to provide their SSNs or numbers derived from them. (This is in addition to New York’s SSN confidentiality statute, N.Y. Gen. Bus. Law § 399-dd*4, which is similar to laws in many states.)

In March of this year, Taco Bell Corp. joined the ranks of companies that have been sued under the Telephone Consumer Protection Act ("TCPA"), not for sending an unsolicited text message to a consumer in the first instance, but for sending a confirmatory message when a consumer chose to opt out of receiving future messages. Recently, the federal district court in Ibey v. Taco Bell Corp., 12-cv-0583 (HVG) (S.D. Cal. June 18, 2012) concluded “that the TCPA does not impose liability for a single, confirmatory text message.”

On June 26, 2012, the U.S. Department of Health and Human Services (HHS) entered into a settlement with the Alaska Department of Health and Social Services (DHSS) for $1.7 million as well as a corrective action plan (CAP) for alleged security violations of the Health Insurance Portability and Accountability Act (HIPAA). This represents the first HHS action against a state agency.

On May 8th, Vermont became the most recent state to amend its security breach notification law. Among the many changes, companies that are affected by a data breach are now required to notify the Attorney General of Vermont within 45 days after the discovery or notification of the breach.

One April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules.