California law restricts disclosure of Social Security numbers

A California law took effect today that
limits disclosure of Social Security numbers, forcing
businesses to remove this ubiquitous and essential identifier
from forms sent to customers and used in correspondence
and on identification cards.

By PATRICK THIBODEAU ComputerWorld

The law, which affects any company doing businesses in
California, is at the vanguard of legislation to stop identity
theft and could affect business practices nationally as well
as the development of laws in other states and federal laws.

"We don’t have California-only systems," said Kirk Hearth,
chief privacy officer at Columbus, Ohio-based Nationwide
Financial Services Inc. Hearth said it was much easier to
apply the California rule nationally then to segment customer
data by state.

The intent of the law is to make it harder for thieves to get
ahold of this crucial identifier. The Federal Trade Commission
said in 1999 it received about 450 complaints per week from possible victims of identity theft. By the end of last year, the
number had skyrocketed to some 3,000 calls each week. The Social Security Administration last year reported some
65,200 allegations of Social Security number misuse, up from 11,000 in 1998.

Although companies had relatively little time to comply with the law, which was adopted last October, Hearth said the
added protections were "something that a lot of us had wanted to do for some time."

The law prohibits including an individual’s Social Security number on any correspondence to that person unless the law
requires it. It also requires the use of encryption if the number is transmitted over the Internet.

Nationwide spent about $130,000 to comply with the law. Although the company removed Social Security numbers from
some customer correspondence, Nationwide also used other techniques to hide the numbers. One involved using an
algorithm that took a key to decrypt, while another hid the first five digits of the Social Security number. Another technique
used by other companies involves including the Social Security number in a bar code, an industry group official said.

Congress has nearly a dozen bills pending that would restrict the use of Social Security numbers. Sens. Dianne Feinstein
(D-Calif.) and Judd Gregg (R-N.H.) are sponsoring one bill that would prohibit anyone from selling or displaying a Social
Security number without the cardholder’s consent. That bill is seen as the leading measure, although Congress isn’t
expected to act on any of these bills this year, privacy and trade group observers said.

The risk for businesses is that a law could be adopted either in Congress or in another large state that sets different
requirements from those in the California law, said John C. Scott, director of retirement policy for the American Benefits
Council in Washington, an industry group that represents large financial services firms as well companies such as
Caterpillar Inc. and Campbell Soup Co.

The question for businesses and industry groups "is whether they want to have a federal standard or whether they want to
have this done state by state," said Scott. "Obviously, California will be a model for many other states," he said.

http://computerworld.com/securitytopics/security/privacy/story/0,10801,72419,00.html