California's New Social Security Number Confidentiality Law

California's Social Security Number Confidentiality Law takes effect on July 1, 2002. Identity theft in America is on the rise, and this new law attempts to protect against it by limiting the use of social security numbers by private entities. Most employers use social security numbers for reporting and identification purposes, and this law may well impact the way you currently use social security numbers.

Effective July 1, 2002, "any entity or person," excluding state and local governmental agencies, is prohibited from:

• Publicly posting or displaying an individuals social security number;
• Printing an individual's social security number on any card required to access products or services provided by the employer. (This includes social security numbers on insurance cards, employee identification cards, security badges, and similar identification tools);
• Requiring an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted;
• Requiring an individual to use his or her social security number to access an Internet Web site, unless a password or unique personal identification number or other authentication device is also required to access the Web site; and
• Printing an individual's social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document mailed (e.g., mailing I-9 and W-2 forms). Notwithstanding this provision, applications and forms sent by mail may include social security numbers.

The new law has two exceptions applicable to employers:

• It does not prevent the use of social security numbers for internal verification or administrative purposes; and
• It does not prevent the use, collection, or release of a social security number as required by state or federal law.

The total impact of the new law on California employers is still not entirely clear because the law does not define important terms such as "application," "form," or "materials" sent by mail, and "for internal verification or administrative purposes." It is also unclear whether the law applies to ERISA-governed benefits.

There is a safe harbor provision for employers who have consistently and continuously used employees' social security numbers in a manner that violates the newly-passed legislation. To qualify for the safe harbor provision the employer must:

• Engage in the non-conforming practice continuously and without interruption (the law's prohibitions automatically apply if the practices cease for any reason);
• Provide employees with an annual disclosure, beginning in 2002, informing the individual that he or she has the right to stop the use of his or her social security number in a manner prohibited by the statute;
• Implement an individual's written request to stop the use of his or her social security number in a manner prohibited by the law within 30 days of receipt of the request, and no fee or charge may be required for implementing the request; and
• Not deny services to any individual who makes a written request to stop the use of his or her social security number in a manner prohibited by statute.

The safe harbor provision may not be of significant help for California employers because employees can opt out of non-conforming social security number use any time after July 1, 2002.

We recommend that employers: (1) carefully examine their uses of employee social security numbers, (2) identify any non-conforming practices, and (3) consider modifying documents or delivery methods. We note that the use of social security numbers on the itemized statements which must accompany paychecks will remain unaffected since that use is required by California law.

Although the outlook remains unclear, this attempt by the California legislature to eradicate identity theft and protect employee privacy will impact many employers' current uses of social security numbers.