A majority of states have enacted laws requiring businesses that maintain Social Security numbers of employees (or others) to keep those numbers secure and confidential. The Federal Trade Commission, pursuant to the Federal Trade Act, also requires companies to take reasonable measures to protect personal information, such as Social Security numbers. Although the laws vary from state to state, as a general policy, Social Security numbers should not be collected or maintained unless there is a business necessity to do so. When it is necessary to collect or maintain Social Security numbers (such as for employment tax and other reporting purposes), they should be protected to the fullest extent possible. When handling documents that include Social Security numbers, the shown numbers should be redacted so that no more than four sequential digits are shown.
By following the policies and procedures set forth below with respect to the Social Security numbers that an organization must collect and maintain, an organization should be able to comply with the state laws and Federal Trade Commission guidelines:
| 1. |
Do not publicly post or publicly display in any manner an individual's Social Security number. To "publicly post or display" means to intentionally communicate the number or otherwise make it available to the general public or to co-workers. |
| 2. |
Do not print an individual's Social Security number on any materials mailed to the individual (unless state or federal law requires or expressly permits the Social Security number to be on the document mailed) on a postcard or other mailer not requiring an envelope, or in a manner in which the Social Security number is visible without the envelope being opened. |
| 3. |
Do not include an individual's Social Security number in any material that is e-mailed to the individual, require an individual to transmit his or her Social Security number over the Internet, or initiate the transmission of an individual's Social Security number over the Internet unless the electronic connection is secure, the Social Security number is encrypted, or the transmission without these safeguards in required by law. |
| 4. |
Do not include an individual's Social Security number in any material that is faxed, unless otherwise required by law. |
| 5. |
Do not require an individual to use his or her Social Security number to access the Internet, unless a password or unique personal identification number or other authentication device is also required to access the Internet. |
| 6. |
Do not print a Social Security number on a receipt issued for the purchase of products or services or on any card required to access products or services. |
| 7. |
Do not encode or embed a Social Security number in or on a card or document, such as by using a barcode, chip, magnetic strip or other technology. |
| 8. |
Do not display a Social Security number on a credit card or debit card issued or distributed by the business. |
| 9. |
Except as otherwise provided by state or federal law, do not deny goods or services to an individual based on the individual's refusal to provide a Social Security number, or require an individual's Social Security number as a condition for the individual to lease or purchase products, goods, or services from the business. |
| 10. |
Do not assign or use a number as the primary account identifier that is identical to or incorporates an individual's complete Social Security number. |
| 11. |
Do not sell, lease, loan, trade, rent or otherwise intentionally disclose Social Security numbers obtained from individuals in the course of business. |
| 12. |
Do not require an individual to use his or her Social Security number as an employee number for any type of employment-related activity. |
| 13. |
Do not print an individual's Social Security number on identification cards or badges. |
| 14. |
Do not print employee Social Security numbers on paychecks, notices of direct deposit or notices of credit to any other account. |
| 15. |
Restrict access to the individual Social Security numbers the employer holds so that only employees who require the numbers in order to perform their job duties have access to the numbers. |
| 16. |
Create a privacy policy that includes all of the following: |
| (a) |
provisions to ensure to the extent practicable, the confidentiality of the Social Security numbers; |
| (b) |
a prohibition on the unlawful disclosure of the Social Security numbers; |
| (c) |
limitations on who has access to information or documents that contain the Social Security numbers; |
| (d) |
limitations on access to the Social Security numbers to those employees authorized to have access to that information to perform their duties; |
| (e) |
provisions holding employees responsible if the Social Security numbers are released to unauthorized persons; |
| (f) |
procedures for proper disposal of documents that contain the Social Security numbers; |
| (g) |
penalties for violation of the privacy policy; and |
| (h) |
procedures regarding (i) the manner in which personal information is collected, (ii) how and when personal information is used, (iii) how personal information is protected, (iv) who has access to personal information, and (v) how personal information is disposed. |
The privacy policy should be published in the employee handbook or similar document, which may be made available electronically.
