This is Part 5 in a 6-part series on Connecticut Employment Laws You Didn’t Know Existed.
While not an “employment law” per se, Connecticut requires any private individual or company to take certain precautions to safeguard Social Security numbers and other private information. Violations of these laws are punishable by fines, civil penalties, and even imprisonment. Of course, a data breach also can also subject your company to a loss of consumer confidence, which can create a devastating impact. Therefore, data protection is something every business must take seriously.
The law states that anyone who collects Social Security numbers in the course of business must create a privacy protection policy that must be published or publicly displayed. Since all employers must collect employees’ Social Security numbers for various administrative purposes, such as withholding taxes, every private employer is covered by this law.
The policy must (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers. The policy must be available to the public, even if the only Social Security numbers collected belong to employees. The law states that this can be accomplished by posting the policy on a company website, but other methods could also be appropriate. It is not necessary to draw attention to the policy, so even placing the policy in an area that is not heavily trafficked by the public should be sufficient, as long as the public can actually view the document if desired.
In addition to requiring a Social Security number privacy policy, the law prohibits (1) intentionally communicating an individual’s Social Security number to the general public, (2) printing the Social Security number on any card required for the individual to access products or services, (3) requiring an individual to transmit his Social Security number over an unencrypted Internet connection, and (4) requiring an individual to use his Social Security number to access an Internet web site unless a password or other unique identifier is also required. These requirements are generally not onerous.
Finally, the law also requires that any private individual or company in possession of personal information of another person to safeguard the data, computer files, and documents containing the information from misuse by third parties, and to destroy, erase, or make unreadable such data, computer files, and documents prior to disposal. “Personal information” is information capable of being associated with a particular individual through one or more identifiers, such as a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, or a health insurance identification number. Your privacy policy does not need to address proper handling of this information, but it is a good idea to train employees to protect this information in accordance with the law. Requiring all documents with personal information to be shredded prior to disposal is an easy way to keep personal information safe. Our team of labor and employment attorneys can help you draft and implement policies that meet your company’s unique needs.