WORKPLACE LAW -
Identify Theft & Social Security Numbers

Question:

In my line of work, we regularly ask our clients for their social security numbers for identification purposes.  I saw your recent article about identity theft and wondered whether we're allowed by law to ask for Social Security numbers and to keep this information in our files?

Answer:

The rules with regard to Social Security numbers have changed drastically over the years. First created in 1936 for the purpose of administering the Social Security laws, Social Security numbers were originally intended for use exclusively by the federal government as a means of tracking earnings. Over time, however, Social Security numbers became used for purposes unrelated to the administration of the Social Security system, such as use as taxpayer identification numbers.

In response to growing concerns, Congress passed the Privacy Act of 1974 which provided that any agency requesting that someone disclose his or her Social Security numbers must inform that individual whether that disclosure is mandatory, and what the number would be used for. The intent behind the Act was to limit the collection of Social Security numbers to only those situations where there was clear legal authority to do so. It was hoped that informing people of the requirements regarding disclosure of Social Security numbers would make them unlikely to disclose the numbers, and that institutions would not pursue Social Security numbers as a form of identification.

Despite this legislative intent, large amounts of personal information and sensitive data, including tax information, credit information, school records, and medical records, is still directly tied to one’s Social Security number. This has prompted states like California to take additional steps in safeguarding Social Security numbers and the information that is linked to them. For instance, California places important restrictions on use of Social Security numbers, and prohibits public posting of a Social Security number as well as printing the number on an identity card, pay stub, or document used to obtain a product or service. In addition, businesses that use Social Security numbers to identify customers are no longer permitted to print the Social Security numbers on invoices or bills sent through the mail.

While an individual is generally not legally compelled to provide his or her Social Security number to a private business, there is no law that prevents a business from requesting someone’s Social Security number. However, California’s Office of Privacy Protection recommends that businesses follow the following guidelines in order to ensure that they are complying with California’s privacy laws:

• Collect Social Security numbers only where required to do so by federal or state law, and inform the individual of the purpose for the collection, the intended use, whether the law requires the number to be provided or not, and the consequences of not providing the number.
• Notify individuals of their right to request that you do not post or publicly display their Social Security number.
• Do not put Social Security numbers on documents that are widely seen by others, such as identification cards, badges, time cards, employee rosters, bulletin board postings, and other materials.
• Do not send documents with Social Security numbers on them through the mail, except on applications or forms, or when required by law. When sending applications, forms or other documents required to carry Social Security numbers through the mail, place the number where it will not be seen. Where possible, leave the Social Security number field on forms and applications blank.
• Do not send or request Social Security numbers by email unless the connection is secure and/or the number is encrypted.
• Do not require individuals to use Social Security numbers as passwords or codes for access to Internet web sites or other services.

If you do need to request and store individuals’ Social Security numbers, the Office of Privacy Protection recommends that you limit access to those records to only those who need to see the numbers for the performance of their job duties. Businesses should also take steps to protect records containing Social Security numbers, including back-ups, encrypting the numbers in electronic records, and/or storing physical records in locked cabinets away from other identifying information. Records containing Social Security numbers should not be stored on computers or other electronic devices that are not secured against unauthorized access.

In addition, it is a good idea to provide employees with training for protecting the confidentiality of Social Security numbers, and written policies that require employees to properly secure records containing Social Security numbers and to promptly report any inappropriate disclosure or loss of records containing Social Security numbers. Employees should also be trained to destroy records containing Social Security numbers in a way that protects their confidentiality, such as shredding. Lastly, business owners may want to conduct regular risk assessments and audits of their record systems that contain Social Security numbers, so they can be sure that the company and its employees are in compliance with the law and are taking all necessary steps to safeguard this sensitive information.

Additional information and recommendations can be found at the California Office of Privacy Protections’ website at:
http://www.privacy.ca.gov/ssn.htm .
- - - - - - - - - - - - - - - - - - - - - - - - - -
Back to Menu- Work Place Law 2010 Articles

• Work Place Law
• Current
• Archives
• Legal Commentary
• Legal Links