Skip to main content

Publications

Mar 2005
25
March 25, 2005

Michigan's New Social Security Number Privacy Law

In an effort to address the growing concern over identity theft, the Michigan legislature recently enacted a new law that regulates how Social Security Numbers ("SSNs") are gathered, used, and disseminated by businesses, schools, governmental agencies and individuals. Many of the Act's provisions took effect on March 1, 2005, but compliance with certain requirements is waived until January 1, 2006. Violators are subject to criminal and civil penalties. This article does not attempt to describe every nuance of the law, but instead focuses on those areas that are likely to affect most businesses.

Common Permitted Uses

In many cases you may continue using SSNs as you have in the past. For example:

  • You may obtain a copy of a Social Security card in order to verify eligibility for employment in accordance with the Immigration Reform and Control Act.

  • You may request a SSN from an employee for tax reporting purposes (e.g., IRS Form W-4), for new-hire reporting, or for purposes of enrollment in an employee benefit plan.

  • You may request a SSN for purposes of investigating an individual's credit, claim, criminal or driving history.

  • You may obtain a SSN from a contractor or a vendor for tax reporting purposes.

  • You may ask a customer to provide a SSN for tax reporting purposes or for the purpose of establishing or administering a customer or patient account.

Account Numbers

Many businesses use SSNs as account numbers for employees or customers. The Act generally prohibits this practice, but there are several broad exceptions. Most significantly, you may use four or less consecutive digits of a SSN as an account number. You may also continue to use the entire SSN or more than four digits as a primary account number under any of the following circumstances:

  • To verify an individual's identity or to perform a similar administrative purpose related to an account, transaction, product, service or employment.

  • To investigate an individual's claim, credit, criminal or driving history.

  • To lawfully pursue legal rights, including for such things as an audit, collection or investigation or to transfer an employee benefit, debt, claim, receivable or account or an interest in a receivable or account.

  • To provide or administer an employee benefit or retirement plan in the ordinary course of business.

  • If the use began before March 1, 2005 and the use is ongoing, continuous and in the ordinary course of business. This exception will no longer apply, however, if the use stops for any reason.

ID Badges

You may not visibly print more than four sequential digits of a SSN on an identification badge or card, membership card, or permit or license, unless state or federal law or a court order or court rule authorizes you to do so. You must comply with this requirement by March 1, 2005, unless you implement a plan or schedule for compliance, in which case you may delay compliance until January 1, 2006.

Computer Access

You may not require an individual to use or transmit more than four consecutive digits of his or her SSN over, or to gain access to, the Internet, an Internet website or a computer system or network, unless the connection is secure or encrypted or you use password or other similar protection.

Mailings

You may not mail a document if more than four sequential digits of a SSN are visible from the outside of the envelope without manipulation.

Beginning January 1, 2006, it is unlawful to mail a document that contains more than four sequential digits of a SSN. There are also many exceptions to this general rule. For example, it is permissible to mail a document containing more than four sequential digits of a SSN for any of the reasons listed above under "Account Numbers." Other exceptions allow the mailing of a document with a SSN in any of the following circumstances:

  • As part of an application or enrollment process that the individual initiates.

  • To establish, confirm the status of, service, amend, or terminate an account, contract, policy or employee benefit or to confirm the SSN of an individual who has an account, contract, policy, or employee benefit.

  • In connection with the administration of employee benefits or stock ownership or other investments.

  • When the document is mailed by or at the request of the individual to whom the number is assigned or his or her parent or legal guardian.

  • When the document is mailed in a manner and for a purpose consistent with Subtitle A of Title V of the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act or the Michigan Insurance Code.

Privacy Policy

If you regularly obtain SSNs, then you must develop, publish and enforce a privacy policy by January 1, 2006, unless you qualify for the exemption described in the next paragraph. The policy must ensure the confidentiality of SSNs, prohibit unlawful disclosures of SSNs, limit access to documents that contain SSNs, establish procedures for disposing of documents that contain SSNs and establish penalties for violating the policy. You must publish the privacy policy in an employee handbook, procedures manual or similar document, which may be published electronically.

The new statute says that the privacy policy requirement "does not apply to a person who possesses social security numbers in the ordinary course of business and in compliance with the fair credit reporting act . . . or subtitle A of title V of the Gramm-Leach-Bliley Act . . . ." However, the extent to which this exemption applies to SSNs of employees is not clear. The Gramm-Leach-Bliley Act does not apply to information regarding employees who are not also customers. The Fair Credit Reporting Act applies to information in a consumer report. But even if an employer does not obtain a consumer report on an employee, the employer will have the employee's SSN for tax reporting purposes. Because the meaning of this exemption is not clear, it may be advisable for a bank or other employer to not rely upon it without the advice of counsel.

Recommendations

You need to be sure that you are using SSNs only for permitted business reasons and that you are properly safeguarding those SSNs. If you obtain SSNs, then you should conduct an audit of how the SSNs are obtained, used and disseminated within your organization. From the audit results, you can develop specific controls. Competent legal counsel can help you develop a privacy policy and specific procedures for gathering, using and disseminating SSNs.

* * *

Robert A. Dubault is a partner in the Muskegon office of Warner Norcross & Judd LLP. He counsels and represents employers in a wide variety of labor and employment matters, including employment discrimination, collective bargaining, labor arbitration, NLRB and MERC proceedings, and wage/hour investigations. Rob may be reached at 231.727.2638.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.

ACCEPTCANCEL

Text

+ -

Reset