New Connecticut Law Requiring Creation Of A Policy Protecting Social Security Numbers Takes Effect October 1, 2008
[22773]
August 5, 2008
TO: BROKER/DEALER ADVISORY COMMITTEE No. 24-08COMPLIANCE MEMBERS No. 36-08
OPERATIONS MEMBERS No. 11-08
PRIVACY ISSUES WORKING GROUP No. 8-08
SEC RULES MEMBERS No. 73-08
SMALL FUNDS MEMBERS No. 48-08
TECHNOLOGY COMMITTEE No. 21-08
TRANSFER AGENT ADVISORY COMMITTEE No. 39-08 RE: NEW CONNECTICUT LAW REQUIRING CREATION OF A POLICY PROTECTING SOCIAL SECURITY NUMBERS TAKES EFFECT OCTOBER 1, 2008
Effective October 1, 2008, Connecticut law requires “any person who collects Social Security numbers in the course of business” to create and either publish or publicly display (e.g., on an Internet web page) a “privacy protection policy.” [1] According to the law, such policy must:
- Protect the confidentiality of Social Security numbers;
- Prohibit unlawful disclosure of such numbers; and
- Limit access to such numbers.
For purposes of the securities industry, the Division of Securities within the Connecticut Department of Banking will be responsible for enforcing compliance with the law. We understand that the privacy notices required of SEC registrants under Regulation S-P may satisfy the new law as it applies to account holders’ and shareholders’ Social Security numbers. However, because the law appears also to extend to employees’ Social Security numbers, employers with a place of business in Connecticut may need to create and publish an additional privacy protection policy applicable to their employees’ Social Security numbers.
This new law also requires any person in possession of personal information of another person to: (1) safeguard the data, computer files, and documents containing the information from misuse by third parties and (2) destroy, erase, or make unreadable such data, computer files, and documents prior to disposal. (With respect to customer records and information, these requirements are consistent with Regulation S-P.) As defined in the law, “personal information” means information capable of being associated with any individual through one or more non-publicly available identifiers such as numbers associated with any of the following: Social Security, driver’s license, state identification card, account, credit/debit card, passport, alien registration, or a health insurance identification.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] A copy of the new law, Public Act No. 08-167, is available on the website of the Connecticut General Assembly at: http://www.cga.ct.gov/2008/ACT/PA/2008PA-00167-R00HB-05658-PA.htm.