STATE LEGISLATION RESTRICTING THE USE OF SOCIAL SECURITY NUMBERS

©2005 Investment Company Institute. All rights reserved. Information may be abridged and therefore incomplete. Communications from the Institute do not constitute, and should not be considered a substitute for, legal advice. [18875] May 20, 2005 TO: CLOSED-END INVESTMENT COMPANY MEMBERS No. 32-05 COMPLIANCE ADVISORY COMMITTEE No. 39-05 OPERATIONS MEMBERS No. 8-05 PRIVACY ISSUES WORKING GROUP No. 1-05 SEC RULES MEMBERS No. 67-05 SMALL FUNDS MEMBERS No. 47-05 TECHNOLOGY ADVISORY COMMITTEE No. 10-05 RE: STATE LEGISLATION RESTRICTING THE USE OF SOCIAL SECURITY NUMBERS During this year’s state legislative sessions several states passed laws relating to restrictions on the use of social security numbers. Maryland and Michigan passed new laws in this area, while Arizona and New Mexico amended their existing laws. Generally speaking, these laws are patterned after California’s law that was enacted in 2001 and applies to companies doing business in the state, including those out-of-state companies with investors in the state. Each of the laws enacted this year is briefly summarized below. THE MICHIGAN SOCIAL SECURITY NUMBER PRIVACY ACT A. Prohibitions Michigan’s new act, which consists of Sections 445.81-445.87 of the Michigan Compiled Laws, was effective March 1, 2005. Among other things, the act prohibits any person from intentionally: • Displaying all or more than four sequential digits of an individual’s social security number; • Using all or more than four sequential digits of a social security number as the primary account number for an individual unless the use (1) began before March 1, 2005 and (2) has been ongoing, continuous, and in the ordinary course of business; • Requiring an individual to use or transmit all or more than four sequential digits of a social security number over the Internet or a computer system unless the connection is secure or the transmission is encrypted; • Requiring an individual to use or transmit all or more than four sequential digits of a social security number to gain access to an Internet website or a computer system or 2 network unless the connection is secure, the transmission is encrypted, or a password or other unique personal identification number or other authentication device is also required to gain access to the website, system, or network; • Including all or more than four sequential digits of the social security number in or on any document or information mailed or otherwise sent to an individual if it is visible on or, without manipulation, from outside of the envelope or packaging; and • After January 1, 2006, including all or more than four sequential digits of the social security number in any document or information mailed to the person unless: (1) authorized, permitted, or required by federal law, rule, regulation, or court order; (2) the document is sent as part of an application or enrollment process initiated by the individual; (3) the document is sent to establish, confirm the status of, service, amend, or terminate an account or contract or to confirm the accuracy of the number of an individual who has an account or contract; or (4) the document or information is mailed by or at the request of an individual whose social security number appears in the document or information or his or her parent or legal guardian. Excepted from these prohibitions is any use of the social security number that is authorized or required by state or federal statute, rule, or regulation, by court order or rule, or pursuant to legal discovery or process. Notwithstanding the above prohibitions, a person may either use the social security number as the primary account number for the individual or include the social security number in a document mailed to a person if the number is used to: • Verify an individual’s identity, identify an individual, or do another similar administrative purpose related to an account, transaction, product, service, or employment or proposed account, transaction, product, service, or employment; • Detect, prevent, or deter identity theft or another crime; or • Lawfully pursue or enforce a person’s legal rights, including, but not limited to, a transfer of a tax, employee benefit, account, or interest in an account. B. Required Privacy Policy In addition to the above prohibitions, beginning January 1, 2006, the Act requires every person who obtains one or more social security numbers in the ordinary course of business to create a privacy policy that does at least all of the following concerning such social security numbers: • Ensures to the extent practicable the confidentiality of such numbers; • Prohibits unlawful disclosure of such numbers; • Limits who has access to information or documents that contain such numbers; • Describes how to properly dispose of documents that contain such numbers; and • Establishes a penalty for violation of the privacy policy. A copy of the Act is available through the website of the Michigan Legislature at: http://www.legislature.mi.gov/mileg.asp?page=getObject&objName=mcl-Act-454-of-2004 3 THE MARYLAND SOCIAL SECURITY NUMBER PRIVACY ACT (Senate Bill 280) The prohibitions and exceptions in the Maryland Act (consisting of Sections 14-3301 – 14-3303 of the Laws of Maryland) are largely identical to those in the Michigan Act with a couple of exceptions. First, the Maryland Act does not apply to the use of truncated social security numbers. Second, unlike the Michigan Act, the Maryland Act prohibits including an individual’s social security number in any material that is transmitted by facsimile to an individual. Also, the Maryland Act does not require creation of a privacy policy. Pursuant to Section 14-3303 of the Maryland Act, a person that used an individual’s social security number before January 1, 2006 in a manner that is prohibited by the new Act may continue to use the number in that manner if: the use of the number is continuous and the person provides the individual with an annual disclosure form stating the individual’s right to stop the use of the individual’s social security number in the manner prohibited by the Act. Any written request by an individual in response to this disclosure must be implemented within 30 days after its receipt. The Act expressly prohibits a person from denying products or services to an individual who makes such a written request. The Maryland Act is awaiting the Governor’s signature. Once signed, it will have an effective date of January 1, 2006. The provisions of Section 14-3303 of the Act will expire on December 31, 2008. A copy of the Act is available through the website of the Maryland General Assembly at: http://mlis.state.md.us/2005rs/bills/sb/sb0280e.pdf AMENDMENTS TO THE NEW MEXICO PRIVACY PROTECTION ACT In 2003, the New Mexico Privacy Protection Act (Sections 57-12B-1 to 57-12B-3 of the New Mexico Statutes Annotated) was enacted. Section 57-12B-3 of this Act prohibits a business from requiring a consumer’s social security number as a condition of purchasing products, goods, or services, for the business unless the consumer consents to the use or acquisition of the number or the number is “used in a manner consistent with state or federal law or as part of an application for credit or in connection with annuity or insurance transactions.” The law further requires a company acquiring or using a social security number to adopt internal policies that: (1) limit access to the social security numbers to those employees authorized to have access to that information to perform their duties; and (2) hold employees responsible if the social security numbers are released to unauthorized persons. Effective January 1, 2006, the Act has been expanded to prohibit, among other things, any business from: • Requiring the use of a social security number over the Internet without a secure connection or encryption security or to access an Internet account unless a password or unique personal identification number or other personal authentication device is also required to access the account; • Printing a social security number on materials mailed to a consumer unless authorized or required by federal or state law, although a business may require a consumer, as part of an application or enrollment process, or to establish, amend or terminate an account or contract, or to confirm the accuracy of a social security number, to enter a social security number on material to be mailed by the consumer so long as such number is not 4 required to be entered, in whole or in part, on a postcard, on an envelope, or in any other material in which the number may be visible without the envelope being opened; and • Refusing to transact business because of a refusal to provide the social security number for use of that number in a manner prohibited by the Act. The Act provides exceptions from these prohibitions for: • The use of a social security number by a business if the number was furnished for a document generated prior to January 1, 2006 and the business is copying or reproducing that document or if it exists on an original document generated prior to January 1, 2006; or • The collection, use, or release of a social security number by a business if the business complies with Section 57-12B-3 of the Act (which was part of the original Act discussed above) and if the collection, use, or release is either: part of an application or used to establish, amend, or terminate and account or contract; required or authorized by federal or state law or is required for the business to comply with federal or state law; or for internal verification or administrative purposes. The amendments to the Act are available from the website of the New Mexico Legislature at: http://legis.state.nm.us/Sessions/05%20Regular/final/HB0363.pdf AMENDMENTS TO ARIZONA’S LAW RESTRICTING THE USE OF SOCIAL SECURITY NUMBERS In 2004, Arizona enacted Section 44-1373, which restricted the use of social security numbers effective January 1, 2005. The provisions of this Section are substantively similar to those discussed above that were added this year to New Mexico’s Act. This section also includes a provision similar to Section 14-3303 of the Maryland Act, discussed above, that requires a person or entity to provide to an individual whose number is used in a manner inconsistent with the law an annual written disclosure of the individual’s right to stop such use. For purposes of this provision of Arizona law, the term “individual” mean a resident of Arizona. During this year’s legislative session, Arizona law was amended to authorize the State to impose a civil penalty of $100 against any person who violates Section 44-1373. The amendments enacted to Section 44-1373 are available through the website of the Arizona Legislature at: http://www.azleg.state.az.us/legtext/47leg/1r/bills/hb2470h%2Epdf. The provisions of Sections 44-1373.01, .02, and .03 are available, respectively, at: http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/01373.htm&Title=44&Do cType=ARS; http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/01373- 01.htm&Title=44&DocType=ARS; and http://www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/01373- 02.htm&Title=44&DocType=ARS. Tamara K. Salmon Senior Associate Counsel