When the Social Security Act was signed into law in 1935, the U.S. government assured Americans that the number would be used solely for tracking workers in order to assure accurate federal retirement benefits. Since then, the Social Security number has evolved into a de facto national tracking system that is used for everything from credit applications to Kindergarten enrollment. Many federal laws govern citizens’ use of their numbers, but there are no federal laws that govern how an employer can use your Social Security number. However, some state laws govern an employer's use of your Social Security number, and there are guidelines employers should follow to protect your privacy.
Federal laws protect citizens from misuse of their Social Security numbers. If an employer uses a Social Security number to obtain fraudulent documents or financial instruments or posts the number publicly, which makes it vulnerable to identity theft, it could be a violation of U.S. Cyber Crimes Law. Additionally, if the misuse includes medical information of any kind, employers may be in violation of Health Insurance Portability and Accountability Act (HIPAA) laws. However, if the Social Security number is simply posted on a public bulletin board, there is no national statutory recourse unless your employee can prove a direct correlation to financial damage.
In 2001, California adopted laws that make it a crime to post an employee’s Social Security number or to use it as an identification number or Internet password. It is also illegal to encode the number into any documentation even using a bar code and only the last four digits can be used on pay stubs or statements. Since that time, Michigan, Texas and nine additional states have adopted similar laws. Check state statutes for location-specific legislation.
The proliferation of identity theft compelled the Social Security Administration to compile a listing of Best Practices for employers’ use in meeting their responsibilities to protect employees’ Social Security numbers. Employers are encouraged to use numbers other than SSNs for employee identification purposes and encrypt all personal data that must be transmitted electronically. Additionally, the SSA suggests that employees sign confidentiality agreements if their jobs require them to have access to the Social Security numbers of others. The SSA also suggests that a privacy compliance position be instituted to provide executive oversight of sensitive document handling.
Preventing a Breach
To ensure that employee Social Security numbers are protected, employers must stay up to date on best practices as provided by the Social Security Administration and implement new procedures when needed. One step is to inventory your equipment so you know not only what hardware and software you are using, but also which version you are running. Ensure your infrastructure is secure. Even the newest computers and latest software may be missing security patches, so download and install any you discover missing. Finally, hold monthly meetings to update and train employees on cyber security procedures as threats may be internal as well as external.