2017 GNYADA Membership Directory

HOT TOPICS

Social Security Number Protection Laws Many states have passed laws restricting the use, communication, posting, or mailing of Social Security numbers (SSNs). Many of these state laws prohibit (i) denying goods or services to a person who declines to give their SSN, (ii) printing of SSNs on ID cards, (iii) communicating SSNs to the public or posting or displaying them, and/or (iv) mailing SSNs within an envelope. A few states require companies that collect SSNs to have policies in place to protect the SSNs. California’s law provides a good example of prohibited activity and applies to businesses, government, and other entities. The law prohibits: • Printing SSNs on ID cards or badges; • Printing SSNs on documents mailed to customers, unless the law requires it or the document is a form or application; • Printing SSNs on postcards or any other mailer where it is visible without opening an envelope; • Avoiding legal requirements by encoding or embedding SSNs in cards or documents, such as using a bar code, chip, or magnetic stripe; • Requiring people to send SSNs over the Internet, unless the connection is secure or the number is encrypted; • Requiring people to use an SSN to log onto a website, unless a password is also used; SSNs should be truncated in any visual or printed form and be safeguarded in electronic and paper files. Encryption of Social Security numbers is a best practice for electronic records and mandatory in transmitting SSNs over electronic networks such as the Internet. Security Breach Notice Laws As noted above, many states, and even some smaller jurisdictions, have enacted laws requiring businesses, including dealerships, to give notices to their residents in the event their personal information is compromised. Texas has extended its law to cover all persons in all states. However, these laws are not consistent in terms of what types of information breaches trigger the notice requirement (often, it is name plus Social Security number, driver’s license number, or account number plus any required PIN); the timing, content, and manner of giving notice; notices to give to government agencies, law enforcement, and credit bureaus; and penalties for failure to give notices in a timely manner. If your consumer information records (physical or electronic) are wrongfully accessed or used, you may be subject to different and conflicting notice requirements depending on where the affected customers reside. Your Information Security Program must contain a response program with procedures to identify and stop the breach, notify law enforcement, and list requirements for data breach notices that comply with applicable law FTC Safeguards Enforcement Activity As previously noted, the FTC has taken a very aggressive approach toward companies with inadequate data security practices, by bringing dozens of enforcement actions using its sweeping “unfair or deceptive acts or

MEMBERSHIP

DIRECTORY

2017

124