California law restricts disclosure of Social Security numbers

Computerworld - WASHINGTON -- A California law took effect today that limits disclosure of Social Security numbers, forcing businesses to remove this ubiquitous and essential identifier from forms sent to customers and used in correspondence and on identification cards.
The law, which affects any company doing businesses in California, is at the vanguard of legislation to stop identity theft and could affect business practices nationally as well as the development of laws in other states and federal laws.
"We don't have California-only systems," said Kirk Hearth, chief privacy officer at Columbus, Ohio-based Nationwide Financial Services Inc. Hearth said it was much easier to apply the California rule nationally then to segment customer data by state.
The intent of the law is to make it harder for thieves to get a hold of this crucial identifier. The Federal Trade Commission said in 1999 that it received about 450 complaints per week from possible victims of identity theft. By the end of last year, the number had skyrocketed to some 3,000 calls each week. The Social Security Administration last year reported some 65,200 allegations of Social Security number misuse, up from 11,000 in 1998.
Although companies had relatively little time to comply with the law, which was adopted last October, Hearth said the added protections were "something that a lot of us had wanted to do for some time."
The law prohibits including an individual's Social Security number on any correspondence to that person unless the law requires it. It also requires the use of encryption if the number is transmitted over the Internet.
Nationwide spent about $130,000 to comply with the law. Although the company removed Social Security numbers from some customer correspondence, Nationwide also used other techniques to hide the numbers. One involved using an algorithm that took a key to decrypt, while another hid the first five digits of the Social Security number. Another technique used by other companies involves including the Social Security number in a bar code, an industry group official said.
Congress has nearly a dozen bills pending that would restrict the use of Social Security numbers. Sens. Dianne Feinstein (D-Calif.) and Judd Gregg (R-N.H.) are sponsoring one bill that would prohibit anyone from selling or displaying a Social Security number without the cardholder's consent. That bill is seen as the leading measure, although Congress isn't expected to act on any of these bills this year, privacy and trade group observers said.
The risk for businesses is that a law could be adopted either in Congress or inanother large state that sets different requirements from those in the California law, said John C. Scott, director of retirement policy for the American Benefits Council in Washington, an industry group that represents large financial services firms as well as companies such as Caterpillar Inc. and Campbell Soup Co.
The question for businesses and industry groups "is whether they want to have a federal standard or whether they want to have this done state by state," said Scott. "Obviously, California will be a model for many other states," he said.