Report Title:
Identity Theft; Social Security Information
Description:
Prohibits businesses, subject to limited exceptions, from disclosing an individual's social security number to the general public, printing the SSN on an identification card or in mailings to customers, requiring the transmission of a SSN to third parties; and selling or otherwise disclosing the SSN to third parties without written consent. (CD1)
|
THE SENATE |
S.B. NO. |
2293 |
|
TWENTY-THIRD LEGISLATURE, 2006 |
S.D. 2 |
|
|
STATE OF HAWAII |
H.D. 1 |
|
|
|
C.D. 1 |
A BILL FOR AN ACT
RELATING TO SOCIAL SECURITY NUMBER PROTECTION.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The legislature finds that identity theft is a serious crime, with lasting negative repercussions on the finances and life of the person whose identity was stolen. One of the tools most frequently used to steal a person's identity is the person's social security number. While it was originally introduced by the federal government to keep track of payroll taxes, its use has spread so that it has virtually become a universal identifier. Security experts recommend, to the greatest extent possible, that people protect their social security number and use it only for its intended federal purposes.
The purpose of this Act is to minimize the abuses associated with the fraudulent use of a social security number by restricting its use as an identifier.
SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to title 26 to be appropriately designated and to read as follows:
"CHAPTER
SOCIAL SECURITY NUMBER PROTECTION
§ -1 Definitions. As used in this chapter:
"Business" means a sole proprietorship, partnership, limited partnership, corporation, limited liability company, association, or any other form of business entity. The term also includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. The term also includes an entity whose business is records destruction.
"Government agency" means any department, division, board, commission, public corporation, or other agency or instrumentality of the State or of any county.
"Redacted" means the rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number are accessible as part of the data.
§ -2 Social security number protection. (a) Except as otherwise provided in subsection (b), a business or government agency may not do any of the following:
(1) Intentionally communicate or otherwise make available to the general public an individual's entire social security number;
(2) Intentionally print or imbed an individual's entire social security number on any card required for the individual to access products or services provided by the person or entity;
(3) Require an individual to transmit the individual's entire social security number over the Internet, unless the connection is secure or the social security number is encrypted;
(4) Require an individual to use the individual's entire social security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website; and
(5) Print an individual's entire social security number on any materials that are mailed to the individual, unless the materials are employer-to-employee communications, or where specifically requested by the individual.
(b) Subsection (a) shall not apply to:
(1) The inclusion of a social security number in documents that are mailed and:
(A) Are specifically requested by the individual identified by the social security number;
(B) Required by state or federal law to be on the document to be mailed;
(C) Required as part of an application or enrollment process;
(D) Used to establish, amend, or terminate an account, contract, or policy; or
(E) Used to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to 15 U.S.C. section 1681(b).
A social security number that is permitted to be mailed under this paragraph may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened;
(2) The opening of an account or the provision of or payment for a product or service authorized by an individual;
(3) The collection, use, or release of a social security number to investigate or prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. Sections 1681 to 1681x, as amended; undertake a permissible purpose enumerated under the federal Gramm Leach Bliley Act, 15 U.S.C. Sections 6801 to 6809, as amended; locate an individual who is missing or due a benefit, such as a pension, insurance, or unclaimed property benefit; or locate a lost relative;
(4) A business or government agency acting pursuant to a court order, warrant, subpoena, or when otherwise required by law;
(5) A business or government agency providing the social security number to a federal, state, or local government entity including a law enforcement agency or court, or their agents or assigns;
(6) The collection, use, or release of a social security number in the course of administering a claim, benefit, or procedure relating to an individual's employment, including an individual's termination from employment, retirement from employment, injuries suffered during the course of employment, and other related claims, benefits, or procedures;
(7) The collection, use, or release of a social security number as required by state or federal law;
(8) The sharing of the social security number by business affiliates;
(9) The use of a social security number for internal verification or administrative purposes;
(10) A social security number that has been redacted; and
(11) Documents or records that are recorded or required to be open to the public pursuant to the constitution or laws of the State or court rule or order.
(c) A business or government agency covered by this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this chapter are complied with.
§ -3 Penalties; civil action. (a) Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency.
(b) In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party. No such action may be brought against a government agency.
(c) The penalties provided in this section shall be cumulative to the remedies or penalties available under all other laws of this State.
§ -4 Reporting requirements. A government agency shall submit a written report to the legislature within twenty days after the discovery of a material occurrence of a social security number disclosure by the government agency that is prohibited by this chapter. The report shall contain information relating to the nature of the incident, the number of individuals affected by the incident, and any procedures that have been implemented to prevent the incident from reoccurring. In the event that a law enforcement agency informs the government agency that the report may impede a criminal investigation or jeopardize national security, the report to the legislature may be delayed until twenty days after the law enforcement agency has determined that the report will no longer impede the investigation or jeopardize national security."
SECTION 3. This Act shall take effect on July 1, 2007.