September 9, 2004, Introduced by Rep. Casperson and referred to the Committee on Criminal Justice.
A bill to establish the social security number privacy act
in the state of Michigan; to prescribe penalties; and to provide
remedies.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
1 Sec. 1. This act shall be known and may be cited as the
2 "social security number privacy act".
3 Sec. 2. As used in this act:
4 (a) "Person" means an individual, partnership, limited
5 liability company, association, corporation, public or nonpublic
6 elementary or secondary school, trade school, vocational school,
7 community or junior college, college, university, state or local
8 governmental agency or department, or other legal entity.
9 (b) "Publicly display" means to exhibit, hold up, post, or
10 make visible or set out for open view to members of the public or
11 in a public manner. The term does not include conduct described
1 in section 3(1)(b), (c), or (f).
2 Sec. 3. (1) Except as provided in subsection (2), a person
3 shall not knowingly do any of the following with the social
4 security number of an employee, student, or other individual:
5 (a) Publicly display all or more than 4 sequential digits of
6 the social security number.
7 (b) Subject to subsection (3), use all or more than 4
8 sequential digits of the social security number as the primary
9 account number for an individual.
10 (c) Visibly print all or more than 4 sequential digits of the
11 social security number on any identification badge or card,
12 membership card, or permit or license. However, if a person has
13 implemented or implements a plan or schedule that establishes a
14 specific date by which it will comply with this subdivision, this
15 subdivision does not apply to that person until January 1, 2006,
16 or the completion date specified in that plan or schedule,
17 whichever is earlier.
18 (d) Require an individual to use or transmit all or more than
19 4 sequential digits of his or her social security number over the
20 internet or a computer system or network unless the connection is
21 secure or the transmission is encrypted.
22 (e) Require an individual to use or transmit all or more than
23 4 sequential digits of his or her social security number to gain
24 access to an internet website or computer system or network
25 unless a password or other unique personal identification number
26 or other authentication device is first required to gain access
27 to the website.
1 (f) Include all or more than 4 sequential digits of the
2 social security number in or on any document or information
3 mailed or otherwise sent to an individual if it is visible on or,
4 without manipulation, from outside of the envelope or packaging.
5 (g) Include all or more than 4 sequential digits of the
6 social security number in any document or information mailed to
7 an individual, unless any of the following apply:
8 (i) State or federal law, rule, or regulation authorizes,
9 permits, or requires that a social security number appear in the
10 document.
11 (ii) The document is sent as part of an application or
12 enrollment process.
13 (iii) The document is sent to establish, amend, or terminate
14 an account, contract, or policy or to confirm the accuracy of a
15 social security number of an individual who has an account,
16 contract, or policy.
17 (iv) The document or information is mailed by a public body
18 in compliance with the freedom of information act, 1976 PA 442,
19 MCL 15.231 to 15.246, or is a copy of a public record filed or
20 recorded with a county register of deeds office and mailed by
21 that office to a person entitled to receive that record.
22 (2) Subsection (1) does not apply to any of the following:
23 (a) A use of all or more than 4 sequential digits of a social
24 security number that is authorized or required by state or
25 federal statute, rule, or regulation, by court order or rule, or
26 pursuant to legal discovery or process.
27 (b) A use of all or more than 4 sequential digits of a social
1 security number by a law enforcement agency, court, or prosecutor
2 as part of a criminal investigation or prosecution, or providing
3 all or more than 4 sequential digits of a social security number
4 to a law enforcement agency, court, or prosecutor as part of a
5 criminal investigation or prosecution.
6 (3) It is not a violation of subsection (1)(b) to use all or
7 more than 4 sequential digits of a social security number as a
8 primary account number if the use is any of the following:
9 (a) An administrative use of all or more than 4 sequential
10 digits of the social security number in the ordinary course of
11 business, including, but not limited to, any of the following:
12 (i) A verification of an individual's identity or other
13 similar administrative purpose related to a transaction, product,
14 or service or proposed transaction, product, or service.
15 (ii) An investigation of an individual's claim, credit,
16 criminal, or driving history.
17 (iii) Detection, prevention, or deterrence of identity theft
18 or another crime.
19 (iv) The lawful pursuit or enforcement of a person's legal
20 rights, including, but not limited to, an audit, collection,
21 investigation, or transfer of a debt, claim, receivable, or
22 account or an interest in a receivable or account.
23 (b) A use of all or more than 4 sequential digits of a social
24 security number as a primary account number that meets all of the
25 following:
26 (i) The use began before the effective date of this act.
27 (ii) The use is ongoing and continuous. If the use is
1 stopped for any reason, this subdivision no longer applies.
2 (iii) At least annually, the account holder is notified in
3 writing that he or she has the right to request in writing that
4 the person stop using all or more than 4 sequential digits of his
5 or her social security number as the primary account number. The
6 person shall implement the written request within 30 days of
7 receipt of the request, without cost to the account holder. The
8 person may not refuse to provide any services or products to an
9 individual because he or she makes a written request under this
10 subdivision.
11 Sec. 4. (1) A person who obtains 1 or more social security
12 numbers in the ordinary course of business shall create a privacy
13 policy that does at least all of the following concerning the
14 social security numbers the person possesses or obtains:
15 (a) Ensures to the extent practicable the confidentiality of
16 the social security numbers.
17 (b) Prohibits unlawful disclosure of the social security
18 numbers.
19 (c) Limits who has access to information or documents that
20 contain the social security numbers.
21 (d) Describes how to properly dispose of documents that
22 contain the social security numbers.
23 (e) Establishes penalties for violation of the privacy
24 policy.
25 (2) A person that creates a privacy policy under subsection
26 (1) shall publish the privacy policy in an employee handbook,
27 procedures manual, or other similar document.
1 Sec. 5. All or more than 4 sequential digits of a social
2 security number contained in a public record are exempt from
3 disclosure under the freedom of information act, 1976 PA 442, MCL
4 15.231 to 15.246, pursuant to section 13(1)(d) of the freedom of
5 information act, 1976 PA 442, MCL 15.243.
6 Sec. 6. (1) A person who knowingly violates section 3 is
7 guilty of a misdemeanor punishable by imprisonment for not more
8 than 93 days or a fine of not more than $1,000.00, or both.
9 (2) An individual may bring a civil action against a person
10 who violates section 3 and may recover actual damages or
11 $1,000.00, whichever is greater, plus reasonable attorney fees.
12 Enacting section 1. This act takes effect March 1, 2005.