HB-6171, As Passed House, September 29, 2004
SUBSTITUTE FOR
HOUSE BILL NO. 6171
A bill to establish the social security number privacy act
in the state of Michigan; to prescribe penalties; and to provide
remedies.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
1 Sec. 1. This act shall be known and may be cited as the
2 "social security number privacy act".
3 Sec. 2. As used in this act:
4 (a) "Child support" means support for a child, paid or
5 provided pursuant to state or federal law under a court order or
6 judgment.
7 (b) "Mailed" means delivered by United States mail or other
8 delivery service.
9 (c) "Person" means an individual, partnership, limited
10 liability company, association, corporation, public or nonpublic
11 elementary or secondary school, trade school, vocational school,
1 community or junior college, college, university, state or local
2 governmental agency or department, or other legal entity.
3 (d) "Publicly display" means to exhibit, hold up, post, or
4 make visible or set out for open view to members of the public or
5 in a public manner. The term does not include conduct described
6 in section 3(1)(b), (c), or (f).
7 (e) "Title IV-D agency" means that term as defined in section
8 2 of the support and parenting time enforcement act, 1982 PA 295,
9 MCL 552.602.
10 (f) "Vital record" means that term as defined in section 2805
11 of the public health code, 1978 PA 368, MCL 333.2805.
12 Sec. 3. (1) Except as provided in subsection (2), a person
13 shall not intentionally do any of the following with the social
14 security number of an employee, student, or other individual:
15 (a) Publicly display all or more than 4 sequential digits of
16 the social security number.
17 (b) Subject to subsection (3), use all or more than 4
18 sequential digits of the social security number as the primary
19 account number for an individual. However, if the person is
20 using the social security number under subdivision (c) and as the
21 primary account number on the effective date of this act, this
22 subdivision does not apply to that person until January 1, 2006.
23 (c) Visibly print all or more than 4 sequential digits of the
24 social security number on any identification badge or card,
25 membership card, or permit or license. However, if a person has
26 implemented or implements a plan or schedule that establishes a
27 specific date by which it will comply with this subdivision, this
1 subdivision does not apply to that person until January 1, 2006,
2 or the completion date specified in that plan or schedule,
3 whichever is earlier.
4 (d) Require an individual to use or transmit all or more than
5 4 sequential digits of his or her social security number over the
6 internet or a computer system or network unless the connection is
7 secure or the transmission is encrypted.
8 (e) Require an individual to use or transmit all or more than
9 4 sequential digits of his or her social security number to gain
10 access to an internet website or a computer system or network
11 unless the connection is secure, the transmission is encrypted,
12 or a password or other unique personal identification number or
13 other authentication device is also required to gain access to
14 the website, computer system, or network.
15 (f) Include all or more than 4 sequential digits of the
16 social security number in or on any document or information
17 mailed or otherwise sent to an individual if it is visible on or,
18 without manipulation, from outside of the envelope or packaging.
19 (g) Subject to subsection (3), beginning January 1, 2006,
20 include all or more than 4 sequential digits of the social
21 security number in any document or information mailed to a
22 person, unless any of the following apply:
23 (i) State or federal law, rule, or regulation authorizes,
24 permits, or requires that a social security number appear in the
25 document.
26 (ii) The document is sent as part of an application or
27 enrollment process initiated by the individual.
1 (iii) The document is sent to establish, confirm the status
2 of, service, amend, or terminate an account, contract, policy, or
3 employee benefit or to confirm the accuracy of a social security
4 number of an individual who has an account, contract, policy, or
5 employee benefit.
6 (iv) The document or information is mailed by a public body
7 under any of the following circumstances:
8 (A) The document or information is a public record and is
9 mailed in compliance with the freedom of information act, 1976 PA
10 442, MCL 15.231 to 15.246.
11 (B) The document or information is a copy of a public record
12 filed or recorded with a county register of deeds office and is
13 mailed by that office to a person entitled to receive that
14 record.
15 (C) The document or information is a copy of a vital record
16 recorded as provided by law and is mailed to a person entitled to
17 receive that record.
18 (v) The document or information is mailed by an individual
19 whose social security number appears in the document or
20 information or his or her parent or legal guardian.
21 (vi) The document or information is mailed in a manner or for
22 a purpose consistent with subtitle A of title V of the
23 Gramm-Leach-Bliley act, 15 USC 6801 to 6809, by a person subject
24 to that subtitle; with the health insurance portability and
25 accountability act of 1996, Public Law 104-191, by a person
26 subject to that act; or with section 537 or 539 of the insurance
27 code of 1956, 1956 PA 218, MCL 500.537 and 500.539, by a person
1 subject to those sections.
2 (2) Subsection (1) does not apply to any of the following:
3 (a) A use of all or more than 4 sequential digits of a social
4 security number that is authorized or required by state or
5 federal statute, rule, or regulation, by court order or rule, or
6 pursuant to legal discovery or process.
7 (b) A use of all or more than 4 sequential digits of a social
8 security number by a title IV-D agency, law enforcement agency,
9 court, or prosecutor as part of a criminal investigation or
10 prosecution, or providing all or more than 4 sequential digits of
11 a social security number to a title IV-D agency, law enforcement
12 agency, court, or prosecutor as part of a criminal investigation
13 or prosecution.
14 (3) It is not a violation of subsection (1)(b) or (g) to use
15 all or more than 4 sequential digits of a social security number
16 if the use is any of the following:
17 (a) An administrative use of all or more than 4 sequential
18 digits of the social security number in the ordinary course of
19 business, by a person or a vendor or contractor of a person, to
20 do any of the following:
21 (i) Verify an individual's identity, identify an individual,
22 or do another similar administrative purpose related to an
23 account, transaction, product, service, or employment or proposed
24 account, transaction, product, service, or employment.
25 (ii) Investigate an individual's claim, credit, criminal, or
26 driving history.
27 (iii) Detect, prevent, or deter identity theft or another
1 crime.
2 (iv) Lawfully pursue or enforce a person's legal rights,
3 including, but not limited to, an audit, collection,
4 investigation, or transfer of a tax, employee benefit, debt,
5 claim, receivable, or account or an interest in a receivable or
6 account.
7 (v) Lawfully investigate, collect, or enforce a child support
8 obligation or tax liability.
9 (vi) Provide or administer employee or membership benefits,
10 claims, or retirement programs or to administer the ownership of
11 shares of stock or other investments.
12 (b) A use of all or more than 4 sequential digits of a social
13 security number as a primary account number that meets both of
14 the following:
15 (i) The use began before the effective date of this act.
16 (ii) The use is ongoing, continuous, and in the ordinary
17 course of business. If the use is stopped for any reason, this
18 subdivision no longer applies.
19 Sec. 4. (1) Beginning January 1, 2006, a person who obtains
20 1 or more social security numbers in the ordinary course of
21 business shall create a privacy policy that does at least all of
22 the following concerning the social security numbers the person
23 possesses or obtains:
24 (a) Ensures to the extent practicable the confidentiality of
25 the social security numbers.
26 (b) Prohibits unlawful disclosure of the social security
27 numbers.
1 (c) Limits who has access to information or documents that
2 contain the social security numbers.
3 (d) Describes how to properly dispose of documents that
4 contain the social security numbers.
5 (e) Establishes penalties for violation of the privacy
6 policy.
7 (2) A person that creates a privacy policy under subsection
8 (1) shall publish the privacy policy in an employee handbook, in
9 a procedures manual, or in 1 or more similar documents.
10 (3) This section does not apply to a person who possesses
11 social security numbers in the ordinary course of business and in
12 compliance with the fair credit reporting act, 15 USC 1681 to
13 1681v, or subtitle A of title V of the Gramm-Leach-Bliley act, 15
14 USC 6801 to 6809.
15 Sec. 5. All or more than 4 sequential digits of a social
16 security number contained in a public record are exempt from
17 disclosure under the freedom of information act, 1976 PA 442, MCL
18 15.231 to 15.246, pursuant to section 13(1)(d) of the freedom of
19 information act, 1976 PA 442, MCL 15.243.
20 Sec. 6. (1) A person who violates section 3 is guilty of a
21 misdemeanor punishable by imprisonment for not more than 93 days
22 or a fine of not more than $1,000.00, or both.
23 (2) An individual may bring a civil action against a person
24 who violates section 3 and may recover actual damages or
25 $1,000.00, whichever is greater.
26 Sec. 7. This act takes effect March 1, 2005.