Recent years have seen a dramatic increase in the crime of identity theft. Although social security numbers were first used to gain access to social security programs, they are now commonly used by health care providers as member identification numbers, by colleges and universities as student identification numbers, and in many cases by employers as passwords or employee identification numbers used to access employment-related information and services. Each year, victims of identity theft spend countless hours fighting bad checks, clearing credit records, and accounting for debts they did not incur.

In an attempt to address the problem of identity theft and increase consumer protection, California recently passed a law, effective July 1, 2002, that imposes significant additional prohibitions upon companies in order to attempt to safeguard the use of social security numbers as identifiers. Senate Bill 168 (SB 168) applies to "any entity or person" (excluding "state and local agencies") and will both dramatically curb the ability of companies to use social security numbers and will require the immediate reevaluation of current policies, including those that are employment-related, to ensure compliance with the new law. SB 168 also shifts control from credit bureaus and reporting agencies by empowering consumers to notify recipients of credit reports of potential fraud and further allows consumers to "freeze" their credit reports and prohibit a consumer credit reporting agency from releasing their credit report without their express authorization.

Prohibitions

Title 1.81.1 of SB 168, "Confidentiality of Social Security Numbers," codified as Civil Code, section 1798.85, et seq., is the provision that will have the most practical consequences for employers concerning the uses of and practices involving social security numbers. Specifically, section 1798.85 forbids the following:

• Publicly posting or displaying an individual's social security number;
• Printing an individual's social security number on any card required to access products or services;
• Requiring an individual to transmit his or her social security number over the Internet unless the connection is secure or the social security number is encrypted;
• Requiring an individual to use his or her social security number to access a web site unless a password or unique personal identification number is also required for access; and
• Printing an individual's social security number on any materials that are mailed to the individual, unless applicable state or federal law requires the social security number to be on the document being mailed.

Grandfather Clause

SB 168 provides that companies with preexisting policies or practices that conflict with these prohibitions may be protected under a grandfather or "safe harbor" provision, permitting entities with such policies in existence as of July 1, 2002, to continue to apply those pre-existing policies if the following conditions are satisfied: First, the practice must be continuous and uninterrupted. If the practice ceases for any reason in the future, then the prohibitions of SB 168 will automatically apply. Second, commencing in 2002, individuals and employees must be provided with an annual disclosure advising them of their right to request that their social security numbers not be used in a manner prohibited by SB 168. Within 30 days of receipt of such a written request by an individual or employee, the company must, free of charge, cease using the individual's social security number and, additionally, may not retaliate by denying services to individuals who request that the use of their social security numbers be discontinued.

Exceptions

Beyond the "grandfather" clause described above, several exceptions exist to the coverage of SB 168. SB 168 does not affect the collection, use, or release of a social security number as required by state or federal law. For example, California Labor Code section 226(a)(7) expressly mandates that social security numbers be placed on paycheck stubs and, therefore, would be unaffected by SB 168's prohibitions. A similar rule would apply to certain IRS reporting forms that also require the use of social security numbers.

SB 168 likewise does not apply to the use of a social security number for internal verification or administrative purposes. While neither the text of SB 168 nor its legislative history lend any significant guidance in interpretation, it is reasonable to assume that employers may continue using social security numbers for internal personnel records and other human resource purposes. For example, social security information contained in employment applications or employee benefit forms kept in personnel files may still be maintained as long as employers take necessary precautions to ensure that such information is not disclosed to the public and is accessible only to a limited number of authorized individuals.

Although SB 168 proscribes the use of social security numbers in mailings to the individual, it specifically excludes social security numbers contained on applications and forms. A review of the legislative history reveals that the author intended this exception to apply to companies who have obtained credit header information that includes a consumer's name, address, telephone number, and social security number from a consumer reporting agency to solicit customers. The use of social security numbers when soliciting new customers is less of a risk for identity theft because SB 168 provides that a consumer may request in writing that the information contained in his or her file not be provided to a third party for marketing purposes.

Finally, SB 168 exempts from its requirements certain records required to be open to the public pursuant to specified state laws.

Timetables for Health-Related Entities

Due to the overwhelming costs that will be incurred by health-related entities in complying with its terms, SB 168 provides an extended time period within which such entities must comply. Specifically, "health care service plans, health care providers, insurers, pharmacy benefits managers, or a contractor," as defined in California Civil section 56.05(c), are subject to staggered implementation timetables beginning in January 1, 2003, and extending until January 1, 2005. While these health-related entities are obligated to make a reasonable, good-faith effort to comply with the obligations before the delayed compliance dates, upon a showing of good cause, such entities may obtain brief extensions of time of up to six months within which to comply. In addition, if a federal law is enacted requiring the United States Department of Health and Human Services to establish a national unique patient health identifier program, any entities that comply with such a law will be found to be in compliance with the requirements of section 1798.85.

Practical Implications for Businesses

Clearly, SB 168 will have a significant impact upon a wide range of company operations. To ease the administrative burden and reduce costs, many employers have made the transition towards paperless human resource departments. Consequently, many employers have turned to computers and the company intranet as an instrument to allow employees access to pertinent policies or benefits information. However, unless a company can comply with the additional security measures referenced above regarding internet access and transmission, it may be well advised to discontinue use of social security numbers altogether. In addition to their own employees, many service and client-oriented companies, such as banks, will be prohibited from including social security numbers on account statements that are mailed to customers. Additionally, although many companies have switched from using the complete nine-digit social security number of an individual or employee to using only the last four digits to access confidentiality information, such a substitute is not likely to be effective in complying with SB 168.

Recommendations

In light of the new prohibitions enacted under SB 168, companies are urged to conduct thorough and immediate audits of their employment and client mailing policies concerning the collection, use, and disclosure of social security numbers. Initially, a company should determine whether their practice falls under the administrative or internal verification exemptions set forth above. Where a social security number is being used for internal purposes and its dissemination is restricted, such a practice poses minimal danger of identity theft. However, due to the lack of legislative guidance and uncertainty surrounding how the exemption will be interpreted, companies are advised to minimize the use of social security numbers in their internal record maintenance systems as well and, if possible, implement alternative identifiers.

Moreover, because some employers may have invested significant financial resources and technology in computer software systems, it may be more feasible to slowly phase out, rather than immediately eliminate, the use of social security numbers. However, employers who choose to continue the use of social security numbers must make certain that they meet the conditions under the safe harbor "grandfather" provision that authorizes continued use. Finally, with respect to external policies and practices implemented after July 1, 2002, it is essential that companies devise alternative and substitute forms of identification.

Philip L. Gordon is a Shareholder in Littler Mendelson's Denver office. If you would like further information, please contact your Littler attorney at 1.888.Littler, info@littler.com, Mr. Gordon at pgordon@littler.com.