Employers doing business in Pennsylvania should review their practices regarding the use and disclosure of social security numbers in light of a new state law increasing protection against their theft and improper use. With some exceptions, S.B. 601 applies to Pennsylvania businesses and government agencies and is effective 180 days from enactment. Governor Ed Rendell signed the legislation on June 29, 2006.
The new law prohibits certain activities involving SSNs including:
- publicly posting an individual's SSN in any manner
- printing a individual's SSN on any card required for the individual to access the products or services provided by the entity subject to the new law
- requiring an individual to transmit his or her SSN over the internet, unless the transmission is encrypted; or requiring an individual to use the SSN to access a website unless a password or unique personal identification number or other authentication device is also required, and
- printing an individual's SSN on any materials that are mailed to an individual, except where required by federal or state law (such as a W-2 form), but in no event may the SSN be visible on the mailer, such as using a postcard.
However, SSNs may be included in applications and forms sent by mail, including documents sent (i) as part of an enrollment process, (ii) to establish, amend or terminate an account, contract or policy, or (iii) to confirm the accuracy of a SSN.
In addition, entities that have used SSNs prior to the legislation's effective date in a manner inconsistent with S.B. 601 may continue to do so following the effective date, provided that (i) the use is continuous and (ii) the entity provides the individual with an annual notice that informs him or her of his right to request that the entity stop using the SSN in that manner. If the entity's use stops for any reason, the requirements under S.B. 601 attach. Individuals who receive the annual disclosure can request in writing that the use of their SSN be discontinued, and the entity must comply within 30 days.
S.B. 601 provides that it may not be construed to prevent the collection, use or release of a SSN required by federal or state law or to prevent the use of a SSN for internal verification, administrative or law enforcement purposes.
The protections under S.B. 601 do not apply to (i) financial institutions covered by the Gramm-Leach-Bliley Act; (ii) "covered entities" subject to the privacy regulations issued under the Health Insurance Portability and Accountability Act; or (iii) entities subject to the federal Fair Credit Reporting Act. Thus, for example, since employers are not covered entities under the HIPAA privacy regulation, employers in Pennsylvania would have to comply with these new requirements, unless another exception applies.
Violations of S.B. 601 are punishable by fines of $50 to $500 for first offenses and $500 to $5,000 for subsequent offenses.
A copy of the legislation can be obtained at:
Employers in Pennsylvania should review their current practices with regard to the use and disclosure of SSNs in light of this new legislation. If you have any questions regarding this legislation or any other workplace privacy or employee benefits questions, please contact the Jackson Lewis attorney with whom you regularly work.