recommended practices on protecting the … practices on protecting the confidentiality of social...

Recommended Practices onProtecting the Confidentiality of

Social Security Numbers

April 2008

This document is for informational purposes and should not be construed as legal advice or as policy ofthe State of California. If you want advice in a particular case, you should consult an attorney-at-lawor other expert. The document may be copied, if (1) the meaning of the copied text is not changed ormisrepresented, (2) credit is given to the California Office of Privacy Protection, and (3) all copies aredistributed free of charge.

June 2002Rev. January 2003Rev. April 2007Rev. April 2008

California Office of Privacy Protectionwww.privacy.ca.gov

866-785-9663

Contents

Introduction...............................................5 AppendicesAppendix 1: California Laws Restricting

Recommended Practices.........................7 Disclosure of SSNs....................................12

Appendix 2: Federal Laws Authorizing orNotes..........................................................10 Mandating SSNs...........................................20

Appendix 3: Federal Laws Restricting

Disclosure of SSNs.....................................23

California Office of Privacy Protection

Protecting Social Security Numbers 5

Introduction

The California Office of Privacy Protection hasthe statutorily mandated purpose of “protectingthe privacy of individuals’ personal informationin a manner consistent with the California Con-stitution by identifying consumer problems in theprivacy area and facilitating development of fairinformation practices.”1 The law specifically di-rects the Office to “make recommendations toorganizations for privacy policies and practicesthat promote and protect the interests of Cali-fornia consumers.”2

In line with those obligations, the Officeof Privacy Protection offers these recommendedpractices for protecting the confidentiality ofSocial Security numbers. While many of the rec-ommendations might be applied to protect anysensitive personal information, the focus is onSocial Security numbers because of the role theyhave come to play in the marketplace and in iden-tity theft and other forms of fraud.

In developing the recommendations, theOffice of Privacy Protection received consulta-tion and advice from an advisory committeemade up of representatives of the financial, in-surance, health care, retail and information in-dustries and of consumer privacy advocates.3 Thecommittee members’ contributions were veryhelpful and are greatly appreciated.

Unique Status of SSN As a Privacy RiskThe Social Security number (SSN) has a

unique status as a privacy risk. No other form ofpersonal identification plays such a significant rolein linking records that contain sensitive informa-tion that individuals generally wish to keep confi-dential.

Created by the federal government in 1936to track workers’ earnings and eligibility for re-

tirement benefits, the SSN is now used in boththe public and private sectors for a myriad ofpurposes totally unrelated to this original pur-pose. It is used so widely because the SSN is aunique identifier that does not change, allowing itto serve many record management purposes. 4

Today SSNs are used as representations ofindividual identity, as secure passwords, and asthe keys for linking multiple records together. Theproblem is that these uses are incompatible. Thewidespread use of the SSN as an individual iden-tifier, resulting in its appearance on mailing la-bels, ID cards, badges, and various publicly dis-played documents, makes it unfit to be a securepassword providing access to financial recordsand other personal information.5

Protecting SSNsThe broad use and public exposure of SSNs

has been a major contributor to the growth inrecent years in identity theft and other forms offraud. The need to significantly reduce the risksto individuals of the inappropriate disclosure andmisuse of SSNs, has led California to take stepsto limit their use and display.

In 2003, the public posting or display ofSSNs was prohibited. The following year, lawsthat banned printing an entire SSN on a pay stuband created a procedure for truncating the num-bers in family court records took effect. In 2007,laws were passed requiring truncation of SSNsin abstracts of judgment, tax liens, UniformCommercial Code filings and publicly availablerecords of local government agencies.6

Many other states have followedCalifornia’s lead and enacted similar laws restrict-ing the use of SSNs.7 The federal government isfocusing efforts on reducing federal agencies’ useof the numbers. In May 2007 the Office of Man-

6

agement and Budget, following up on the rec-ommendation of the President’s Task Forceon Identity Theft, issued guidance urging federalagencies to eliminate unnecessary use of SSNsand explore alternatives to the numbers as indi-vidual identifiers.8



Recommended Practices

Fair Information Practice PrinciplesIn developing these recommendations, the

California Office of Privacy Protection lookedfirst to the widely accepted principles that formthe basis of most privacy laws in the UnitedStates, Canada, Europe, and other parts of theworld. The Fair Information Practice Principlesare openness, collection limitation, purpose speci-fication, use limitation, data quality, individual par-ticipation, security and accountability.9 While theywere developed to guide the drafting of nationalprivacy legislation, the principles are also appro-priate for organizations to follow in developingtheir privacy policies and practices. The practicesrecommended here all derived from these basicprivacy principles.

The Office of Privacy Protection’s recom-mendations are intended to serve as guidelinesto assist organizations in moving towards the goalof aligning their practices with the widely ac-cepted fair information practice principles de-scribed below. They are not legal opinions orbinding regulations. These recommended prac-tices address, but are not limited to, the provi-sions of California Civil Code section 1798.85.

The recommendations are relevant for pri-vate and public sector organizations, and theyapply to the handling of all Social Security num-bers in the possession of an organization: thoseof customers, employees, and business partners.

Reduce the collection of SSNs.Fair Information Practice Principles:Collection Limitation, Use Limitation

• Collect SSNs preferably only whererequired to do so by federal or state law.

• When collecting SSNs as allowed, but notrequired, by law, do so only as reasonably

necessary for the proper administrationof lawful business activities.

• If a unique personal identifier is needed,develop your own as a substitute for theSSN.

Inform individuals when you request theirSSNs.

Fair Information Practice Principle:Openness, Purpose Specification

• Whenever you collect SSNs as required orallowed by law, inform the individuals ofthe purpose of the collection, the in-tended use, whether the law requires thenumber to be provided or not, and theconsequences of not providing thenumber.

• If required by law, notify individuals(customers, employees, business partners,etc) annually of their right to request thatyou do not post or publicly display theirSSN or do any of the other thingsprohibited in Civil Code Section1798.85(a).

Eliminate the public display of SSNs.Fair Information Practice Principle:Security

• Do not put SSNs on documents that arewidely seen by others, such as identifica-tion cards, badges, time cards, employeerosters, bulletin board postings, and othermaterials.

• Do not send documents with SSNs onthem through the mail, except on applica-tions or forms or when required by law.10

8

• When sending applications, forms orother documents required by law to carrySSNs through the mail, place the SSNwhere it will not be revealed by anenvelope window. Where possible, leavethe SSN field on forms and applicationsblank and ask the individual to fill it inbefore returning the form or application.

• Do not send SSNs by email unless theconnection is secure or the SSN isencrypted.

• Do not require an individual to send hisor her SSN over the Internet or by email,unless the connection is secure or the SSNis encrypted.

• Do not require individuals to use SSNs aspasswords or codes for access to Internetweb sites or other services.

Control access to SSNs.Fair Information Practice Principle:Security

• Limit access to records containing SSNsonly to those who need to see thenumbers for the performance of theirduties.

• Use logs or electronic audit trails tomonitor employees’ access to recordswith SSNs.

• Protect records containing SSNs, includ-ing back-ups, during storage by encrypt-ing the numbers in electronic records orstoring records in other media in lockedcabinets.

• Do not store records containing SSNs oncomputers or other electronic devices thatare not secured against unauthorizedaccess.

• Avoid sharing SSNs with other compa-nies or organizations except whererequired by law.

• If you do share SSNs with other compa-nies or organizations, including contrac-

tors, use written agreements to protecttheir confidentiality.

• Prohibit such third parties from re-disclosing SSNs, except as required bylaw.

• Require such third parties to use effectivesecurity controls on record systemscontaining SSNs.

• Hold such third parties accountable forcompliance with the restrictions youimpose, including monitoring or auditingtheir practices.

• If SSNs are disclosed inappropriately andthe individuals whose SSNs were dis-closed are put at risk of identity theft orother harm, promptly notify the individu-als potentially affected.

Protect SSNs with security safeguards.Fair Information Practice Principle:Security

• Develop a written security plan forrecord systems that contain SSNs.

• Develop written policies for protectingthe confidentiality of SSNs, including butnot limited to the following:

• Adopt “clean desk/work area” policyrequiring employees to properly securerecords containing SSNs.

• Do not leave voice mail messagescontaining SSNs and if you must send anSSN by fax, take special measures toensure confidentiality.

• Require employees to ask individuals(employees, customers, etc.) for identifiersother than the SSN when looking uprecords for the individual.

• Require employees to promptly reportany inappropriate disclosure or loss ofrecords containing SSNs to their supervi-sors or to the organization’s privacyofficer.



• When discarding or destroying records inany medium containing SSNs, do so in away that protects their confidentiality,such as shredding.11

Make your organization accountable forprotecting SSNs.

Fair Information Practice Principle:Accountability

• Provide training and written material foremployees on their responsibilities inhandling SSNs.

• Conduct training at least annually.

• Train all new employees, temporaryemployees and contract employees.

• Impose discipline on employees for non-compliance with organizational policiesand practices for protecting SSNs.

• Conduct risk assessments and regularaudits of record systems containing SSNs.

• Designate someone in the organization asresponsible for ensuring compliance withpolicies and procedures for protectingSSNs.

10

Notes

1 California Government Code section11549.5, subdivision (a).

2 California Government Code section11549.5, subdivision(c).

3 The Advisory Committee members wereVictoria Allen of the California Credit UnionLeague; Jennie Bretschneider, Legislative Aide toSenator Debra Bowen; James W. Bruner, Jr., ofOrrick, Herrington & Sutcliffe; Shelley Curranof Consumers Union; Mari Frank, Esq., privacyconsultant; Beth Givens of the Privacy RightsClearinghouse; Tony Hadley of Experian; MichaelHensley of LexisNexis; Chris Lewis of Providianand the California Chamber of Commerce;Deborah Pierce of Privacy Activism; RebeccaRichards of TRUSTe; Wendy Schmidt of Fed-erated Department Stores and the CaliforniaRetailers Association; Elaine Torres of WellsFargo Bank; and Lee Wood of the Associationof California Life & Health Insurance Compa-nies.

4 Social Security Numbers: Government Benefitsfrom SSN Use but Could Provide Better Safeguards,GAO-02-352, May 2002. Available at<www.gao.gov>.

5 Chris Hibbert, Computer Professionalsfor Social Responsibility, Frequently Asked Ques-tions on SSNs and Privacy, last modified January24, 2004. Available at <http://www.cpsr.org/issues/privacy/ssn-faql>.

6 See Appendix 1.

7 See the Compilation of State and Federal Pri-vacy Laws, published by Privacy Journal, for cur-rent information on state laws restructing the useof SSNs.

8 See OMB Memorandum M-07-17, Safe-guarding Against and Responding to the Breachof Personally Identifiable Information. The find-ings and recommendations of the President’s TaskForce on Identity Theft may be found in Combat-ting identity Theft: A Strategic Plan, April 2007, avail-able online at <www.idtheft.gov>.

9 The Fair Information Practice Principleswere first formulated by the U.S. Departmentof Health Education, and Welfare in 1973. Theymay be found in the Organisation for EconomicCooperation and Development’s Guidelines on theProtection of Privacy and Transborder Flows of Per-sonal Data, available at <www1.oecd.org>. Theprinciples are the following:

Openness: There should be a general policyof openness about the practices and policies withrespect to personal information.

Collection Limitation: Personal informationshould be collected by lawful and fair means andwith the knowledge or consent of the subject.Only the information necessary for the statedpurpose should be collected.

Purpose Specification: The purpose for col-lecting personal information should be specifiedat the time of collection. Further uses should belimited to those purposes.

Use Limitation: Personal information shouldnot be used for purposes other than those speci-



fied, except with the consent of the subject or bythe authority of law.

Data Quality: Personal information shouldbe accurate, complete, timely and relevant to thepurpose for which it is to be used.

Individual Participation: Individuals shouldhave the right to inspect and correct their per-sonal information.

Security: Personal information should beprotected by reasonable security safeguardsagainst such risks as unauthorized access, destruc-tion, use, modification, and disclosure.

Accountability: Someone in an organizationshould be held accountable for compliance withthe organization’s privacy policy. Regular privacyaudits and employee training should be conducted.

10 See Appendices 1-3 for federal and Cali-fornia laws that require the collection of SSNsor restrict the disclosure of the numbers. Thelists are not comprehensive.

11 California Civil Code section 1798.81re-quires businesses to destroy customer recordscontaining personal information by shredding,erasing, or otherwise modifying the personal in-formation in those records to make it unread-able or undecipherable, before discarding them.In addition, section 628 of the Fair Credit Re-porting Act (15 U.S. Code section 1681-1681u)requires the proper disposal of records contain-ing consumer information derived from con-sumer reports.

12

Appendix 1: CaliforniaLaws Restricting SSNDisclosurePublic Posting or Display of SSNs

Summary of Civil Code Sections 1798.85-1798.89

Civil Code Sections 1798.85-1798.86 tookeffect beginning July 1, 2002 and was phased inthrough January 1, 2007. It applies to any personor entity and prohibits the following practices:

• Posting or publicly display SSNs,

• Printing SSNs on identification cards orbadges,

• Requiring people to transmit an SSN overthe Internet unless the connection is secureor the number is encrypted,

• Requiring people to log onto a web siteusing an SSN without a password, and

• Printing SSNs on anything mailed to acustomer unless required by law or thedocument is a form or application.8

It also prohibits filing with a county recorder apublicly available document displaying more thanthe last four digits of an SSN.

Text of Civil Code Sections 1798.85-1798.89

1798.85. (a) Except as provided in this sec-tion, a person or entity may not do any of thefollowing:

(1) Publicly post or publicly display in anymanner an individual’ s social security number.“Publicly post” or “publicly display” means tointentionally communicate or otherwise makeavailable to the general public.

(2) Print an individual’s social security num-ber on any card required for the individual toaccess products or services provided by the per-son or entity.

(3) Require an individual to transmit his orher social security number over the Internet, un-less the connection is secure or the social securitynumber is encrypted.

(4) Require an individual to use his or hersocial security number to access an Internet Website, unless a password or unique personal identi-fication number or other authentication device isalso required to access the Internet Web site.

(5) Print an individual’s social security num-ber on any materials that are mailed to the indi-vidual, unless state or federal law requires the socialsecurity number to be on the document to bemailed. Notwithstanding this paragraph, socialsecurity numbers may be included in applicationsand forms sent by mail, including documents sentas part of an application or enrollment process,or to establish, amend or terminate an account,contract or policy, or to confirm the accuracy ofthe social security number. A social security num-ber that is permitted to be mailed under this sec-tion may not be printed, in whole or in part, on apostcard or other mailer not requiring an enve-lope, or visible on the envelope or without theenvelope having been opened.

(b) This section does not prevent the col-lection, use, or release of a social security num-ber as required by state or federal law or the useof a social security number for internal verifica-tion or administrative purposes.

(c) This section does not apply to docu-ments that are recorded or required to be opento the public pursuant to Chapter 3.5 (commenc-ing with Section 6250), Chapter 14 (commenc-ing with Section 7150) or Chapter 14.5 (com-mencing with Section 7220) of Division 7 ofTitle 1 of, Article 9 (commencing with Section11120) of Chapter 1 of Part 1 of Division 3 ofTitle 2 of, or Chapter 9 (commencing with Sec-



tion 54950) of Part 1 of Division 2 of Title 5 of,the Government Code. This section does notapply to records that are required by statute, caselaw, or California Rule of Court, to be madeavailable to the public by entities provided for inArticle VI of the California Constitution.

(d) (1) In the case of a health care serviceplan, a provider of health care, an insurer or apharmacy benefits manager, a contractor as de-fined in Section 56.05, or the provision by anyperson or entity of administrative or other ser-vices relative to health care or insurance productsor services, including third-party administrationor administrative services only, this section shallbecome operative in the following manner:

(A) On or before January 1, 2003, the enti-ties listed in paragraph (1) shall comply with para-graphs (1), (3), (4), and (5) of subdivision (a) asthese requirements pertain to individual policy-holders or individual contractholders.

(B) On or before January 1, 2004, the enti-ties listed in paragraph (1) shall comply with para-graphs (1) to (5), inclusive, of subdivision (a) asthese requirements pertain to new individual poli-cyholders or new individual contractholders andnew groups, including new groups administeredor issued on or after January 1, 2004.

(C) On or before July 1, 2004, the entitieslisted in paragraph (1) shall comply with para-graphs (1) to (5), inclusive, of subdivision (a) forall individual policyholders and individualcontractholders, for all groups, and for all en-rollees of the Healthy Families and Medi-Calprograms, except that for individual policyhold-ers, individual contractholders and groups in ex-istence prior to January 1, 2004, the entities listedin paragraph (1) shall comply upon the renewaldate of the policy, contract, or group on or afterJuly 1, 2004, but no later than July 1, 2005.

(2) A health care service plan, a providerof health care, an insurer or a pharmacy benefitsmanager, a contractor, or another person or en-tity as described in paragraph (1) shall make rea-sonable efforts to cooperate, through systemstesting and other means, to ensure that the re-quirements of this article are implemented on orbefore the dates specified in this section.

(3) Notwithstanding paragraph (2), the Di-rector of the Department of Managed HealthCare, pursuant to the authority granted underSection 1346 of the Health and Safety Code, orthe Insurance Commissioner, pursuant to theauthority granted under Section 12921 of theInsurance Code, and upon a determination ofgood cause, may grant extensions not to exceedsix months for compliance by health care serviceplans and insurers with the requirements of thissection when requested by the health care serviceplan or insurer. Any extension granted shall applyto the health care service plan or insurer’s affectedproviders, pharmacy benefits manager, and con-tractors.

(e) If a federal law takes effect requiringthe United States Department of Health andHuman Services to establish a national uniquepatient health identifier program, a provider ofhealth care, a health care service plan, a licensedhealth care professional, or a contractor, as thoseterms are defined in Section 56.05, that complieswith the federal law shall be deemed in compli-ance with this section.

(f) A person or entity may not encode orembed a social security number in or on a cardor document, including, but not limited to, usinga barcode, chip, magnetic strip, or other technol-ogy, in place of removing the social security num-ber, as required by this section.

(g) This section shall become operative, withrespect to the University of California, in the fol-lowing manner:

(1) On or before January 1, 2004, the Uni-versity of California shall comply with paragraphs(1), (2), and (3) of subdivision (a).

(2) On or before January 1, 2005, the Uni-versity of California shall comply with paragraphs(4) and (5) of subdivision (a).

(h) This section shall become operative withrespect to the Franchise Tax Board on January 1,2007.

(i) This section shall become operative withrespect to the California community college dis-tricts on January 1, 2007.

(j) This section shall become operative withrespect to the California State University system

14

on July 1, 2005.(k) This section shall become operative, with

respect to the California Student Aid Commis-sion and its auxiliary organization, in the follow-ing manner:

(1) On or before January 1, 2004, the com-mission and its auxiliary organization shall com-ply with paragraphs (1), (2), and (3) of subdivi-sion (a).

(2) On or before January 1, 2005, the com-mission and its auxiliary organization shall com-ply with paragraphs (4) and (5) of subdivision(a).

1798.86. Any waiver of the provisions ofthis title is contrary to public policy, and is voidand unenforceable.

1798.89. Unless otherwise required to doso by state or federal law, no person, entity, orgovernment agency shall present for recordingor filing with a county recorder a document thatis required by any provision of law to be opento the public if that record displays more thanthe last four digits of a social security number.

SSNs on Pay StubsSummary of Labor Code Section 226(a)

Labor Code Section 226 requires employ-ers to print no more than the last four digits ofan employee’s SSN, or to use an employee IDnumber other than the SSN, on employee paystubs or itemized statements. Employers mustcomply by January 1, 2008.

Text of Labor Code Section 226(a)226. (a) Every employer shall, semimonthly

or at the time of each payment of wages, fur-nish each of his or her employees, either as adetachable part of the check, draft, or voucherpaying the employee’s wages, or separately whenwages are paid by personal check or cash, anaccurate itemized statement in writing showing

(1) gross wages earned,(2) total hours worked by the employee,

except for any employee whose compensation issolely based on a salary and who is exempt frompayment of overtime under subdivision (a) ofSection 515 or any applicable order of the In-

dustrial Welfare Commission,(3) the number of piece-rate units earned

and any applicable piece rate if the employee ispaid on a piece-rate basis,

(4) all deductions, provided that all deduc-tions made on written orders of the employeemay be aggregated and shown as one item,

(5) net wages earned,(6) the inclusive dates of the period for

which the employee is paid,(7) the name of the employee and his or

her social security number, except that by Janu-ary 1, 2008, only the last four digits of his or hersocial security number or an employee identifi-cation number other than a social security num-ber may be shown on the itemized statement,

(8) the name and address of the legal entitythat is the employer, and

(9) all applicable hourly rates in effect dur-ing the pay period and the corresponding num-ber of hours worked at each hourly rate by theemployee. The deductions made from paymentsof wages shall be recorded in ink or other indel-ible form, properly dated, showing the month,day, and year, and a copy of the statement or arecord of the deductions shall be kept on file bythe employer for at least three years at the placeof employment or at a central location withinthe State of California.

SSNs in Government RecordsSummary of Commercial Code Section9526.5: Uniform Commercial Code FilingsThis law requires the Secretary of State to createversions of Uniform Commercial Code filingsthat contain only truncated SSNs.

Text of Commercial Code Section 9526.59526.5. (a) For purposes of this section, the

following terms have the following meanings:(1) “Official filing” means the permanent

archival filing of all instruments, papers, records,and attachments as accepted for filing by a filingoffice.

(2) “Public filing” means a filing that is anexact copy of an official filing except that any



social security number contained in the copiedfiling is truncated. The public filing shall have thesame legal force and effect as the official filing.

(3) “Truncate” means to redact at least thefirst five digits of a social security number.

(4) “Truncated social security number”means a social security number that displays nomore than the last four digits of the number.

(b) For every filing containing an untruncatedsocial security number filed before August 1,2007, a filing office shall create a public filing.

(c) A filing office shall post a notice on itsWeb site informing filers not to include socialsecurity numbers in any portion of their filings.A filing office’s online filing system shall not con-tain a field requesting a social security number.

(d) Beginning August 1, 2007, for every fil-ing containing an untruncated social security num-ber filed by means other than the filing office’sWeb site, a filing office shall create a public filing.

(e) When a public filing version of an offi-cial filing exists, both of the following shall ap-ply:

(1) Upon a request for inspection, copying,or any other public disclosure of or any otherpublic disclosure of an official filing that is notexempt from disclosure, a filing office shall makeavailable only the public filing version of thatfiling.

(2) A filing office shall publicly disclose anofficial filing only in response to a subpoena ororder of a court of competent jurisdiction.

(3) Nothing in this article shall be construedto restrict, delay, or modify access to any officialfiling, or modify any existing agreements regard-ing access to any official filing, prior to the cre-ation and availability of a public filing versionof that official filing.

(f) A filing office shall be deemed to be incompliance with the requirements of this sec-tion and shall not be liable for failure to truncatea social security number if he or she uses duediligence to locate social security numbers in of-ficial records and truncate the social security num-bers in the public filing version of those officialfilings. The use of an automated program with ahigh rate of accuracy shall be deemed to be due

diligence.(g) In the event that a filing office fails to

truncate a social security number contained in arecord pursuant to subdivision (b) or (d), anyperson may request that the filing office truncatethe social security number contained in thatrecord. Notwithstanding that a filing office maybe deemed to be in compliance with this sectionpursuant to subdivision (f), a filing office thatreceives a request that identifies the exact loca-tion of an untruncated social security numberthat is required to be truncated pursuant to sub-division (b) or (d) within a specifically identifiedrecord, shall truncate that number within 10 busi-ness days of receiving the request. The publicfiling with the truncated social security numbershall replace the record with the untruncated num-ber.

(h) The Secretary of State shall not pro-duce or make available financing statements inthe form and format described in Section 9521that provide a space identified for the disclosureof the social security number of an individual.

(i) The Secretary of State shall produce andmake available financing statements in the formand format described in Section 9521, exceptthat the financing statements shall not provide aspace identified for the disclosure of the socialsecurity number of an individual.

(j) The provisions of this section shall notapply to a county recorder.

Summary of Government Code Sections27300-27307: County Recorders

This law requires county recorders to cre-ate versions of documents recorded back to 1980that contain only trancated SSNs. If authorizedby boards of supervisors, they may levy a fee tocover the costs of truncation.

Text of Government Code Sections 27300-27307

27300. As used in this article, the followingterms have the following meanings:

(a) “Official record” means the permanentarchival record of all instruments, papers, andnotices as accepted for recording by a county

16

recorder.(b) “Public record” means a record that is

in an electronic format and is an exact copy ofan official record except that any social securitynumber contained in the copied record is trun-cated. The public record shall have the same le-gal force and effect as the official record.

(c) “Truncate” means to redact the first fivedigits of a social security number.

(d) “Truncated social security number”means a social security number that displays onlythe last four digits of the number.

27301. The county recorder of each countyshall establish a social security number truncationprogram in order to create a public record ver-sion of each official record. The program shallinclude both of the following components,which the recorder shall implement concurrently:

(a) For each official record recorded be-tween January 1, 1980, and December 31, 2008,the recorder shall create in an electronic formatan exact copy of the record except that any so-cial security number contained in the copiedrecord shall be truncated. In order to create apublic record copy, the recorder shall first trun-cate the social security numbers in all records thatalready exist in an electronic format and then cre-ate an electronic version of all other records andtruncate social security numbers contained in thoserecords. Each group of records shall be handledin descending chronological order.

(b) For each official record recorded on orafter January 1, 2009, the recorder shall create acopy of that record in an electronic format andtruncate any social security number contained inthat record.

(c) Nothing in this article shall be construedto restrict, delay, or modify access to any officialrecord, or modify any existing agreements re-garding access to any official record, prior to thecreation and availability of a public record ver-sion of that official record. A county recordershall not charge any new fee or increase any ex-isting fees in order to fund the social security num-ber truncation program pursuant to this article,except as provided in subdivision (d) of Section27361.

(d) Notwithstanding subdivisions (a) and(b), a county recorder shall not be required tocreate a public record version of an official recordif the fee authorized in Section 27304 is deter-mined by the recorder to be insufficient to meetthe cost of creating the public record version. Inthat case, the county recorder shall determinewhether the fee is sufficient to meet the cost ofcreating a public record version of only a frac-tion of the official records described in subdivi-sions (a) and (b). If the fee is sufficient to meetthe cost of creating a public record version of afraction of the official records, the recorder shallbe required to create a public record version ofthat fraction only.

27302. (a) A county recorder shall bedeemed to be in compliance with the require-ments of Section 27301 and shall not be liablefor failure to truncate a social security number ifhe or she uses due diligence to locate social secu-rity numbers in official records and truncate so-cial security numbers in the public record versionof those official records. The use of an auto-mated program with a high rate of accuracy shallbe deemed to be due diligence.

(b) In the event that a county recorder failsto truncate a social security number contained ina public record, any person may request that thecounty recorder truncate the social security num-ber contained in that record. Notwithstandingthat a county recorder may be deemed to be incompliance with Section 27301 pursuant to sub-division (a), a county recorder that receives a re-quest that identifies the exact location of anuntruncated social security number within a spe-cifically identified public record, shall truncate thatnumber within 10 business days of receiving therequest. The public record with the truncatedsocial security number shall replace the recordwith the untruncated number.

27303. When a public record version of anofficial record exists, both of the following shallapply:

(a) Upon a request for inspection, copying,or any other public disclosure of an officialrecord that is not exempt from disclosure, acounty recorder shall make available only the



public record version of that record.(b) A county recorder shall publicly disclose

an official record only in response to a subpoenaor order of a court of competent jurisdiction.

27304. (a) Each county may use funds gen-erated by fees authorized by subdivision (d) ofSection 27361 to implement a social security num-ber truncation program required by this article.

(b) No later than June 1, 2008, the countyrecorder of each county shall petition the boardof supervisors in that county for the authority tolevy the fee authorized by subdivision (d) of Sec-tion 27361.

(c) It is the intent of the Legislature that inthe interest of enabling county recorders to actexpeditiously to protect the privacy of Califor-nians, counties be permitted to seek revenue an-ticipation loans or other outside funding sourcesfor the implementation of a social security num-ber truncation program to be secured by the an-ticipated revenue from the fee authorized by sub-division (d) of Section 27361.

27305. (a) To assist the Legislature in moni-toring the progress of each county recorder’ssocial security number truncation program, theCounty Recorders Association of California, nolater than January 1, 2009, and annually thereaf-ter, shall submit to the chairpersons of the As-sembly Committee on Judiciary and of the Sen-ate Committee on Judiciary, and to the Officeof Privacy Protection, or any successor agency, areport on the progress each county recorder hasmade in complying with this article.

(b) Upon the Office of Privacy Protectionmaking a determination that all counties havecompleted the component of the program de-scribed in subdivision (a) of Section 27301, thereport described in subdivision (a) of this sec-tion shall no longer be required.

27307. A county recorder is authorized totake all actions required by this article notwith-standing subdivision (d) of Section 27203 or anyother provision of law.

Summary of Government Code Section15705: Franchise Tax Board Records

This law requires the Franchise Tax Board

to truncate SSNs in documents released to thepublic.

Text of Government Code Section 1570515705. Notwithstanding any other provi-

sion of law, unless prohibited by federal law, theFranchise Tax Board shall truncate social securitynumbers on lien abstracts and any other recordscreated by the board that are disclosable underChapter 3.5 (commencing with Section 6250) ofDivision 7 of Title 1 before disclosing the recordto the public. For purposes of this section, “trun-cate” means to redact the first five digits of asocial security number.

Summary of California Family CodeSection 2024.5: Certain Court Records

This law establishes a procedure for keep-ing SSNs confidential in court filings for legalseparation, dissolution, or nullification of mar-riage.

Text of Family Code Section 2024.52024.5. (a) Except as provided in subdivi-

sion (b), the petitioner or respondent may redactany social security number from any pleading,attachment, document, or other written materialfiled with the court pursuant to a petition fordissolution of marriage, nullity of marriage, orlegal separation. The Judicial Council form usedto file such a petition, or a response to such apetition, shall contain a notice that the parties mayredact any social security numbers from thosepleadings, attachments, documents, or othermaterial filed with the court. (b) An abstract ofsupport judgment, the form required pursuantto subdivision (b) of Section 4014, or any similarform created for the purpose of collecting childor spousal support payments may not be redactedpursuant to subdivision (a).

Summary of Code of Civil ProcedureSection 674: Abstracts of Judgment

Abstracts of judgment and decrees requir-ing the payment of money may contain only thelast four digits of the judgment debtor’s SSN.

18

Text of Code of Civil Procedure Section674

674. (a) Except as otherwise provided inSection 4506 of the Family Code, an abstract ofa judgment or decree requiring the payment ofmoney shall be certified by the clerk of the courtwhere the judgment or decree was entered andshall contain all of the following:

(1) The title of the court where the judg-ment or decree is entered and cause and numberof the action.

(2) The date of entry of the judgment ordecree and of any renewals of the judgment ordecree and where entered in the records of thecourt.

(3) The name and last known address ofthe judgment debtor and the address at whichthe summons was either personally served ormailed to the judgment debtor or the judgmentdebtor’s attorney of record.

(4) The name and address of the judgmentcreditor.

(5) The amount of the judgment or decreeas entered or as last renewed.

(6) The last four digits of the social securitynumber and driver’ s license number of the judg-ment debtor if they are known to the judgmentcreditor. If either or both of those sets of num-bers are not known to the judgment creditor,that fact shall be indicated on the abstract of judg-ment.

(7) Whether a stay of enforcement has beenordered by the court and, if so, the date the stayends.

(8) The date of issuance of the abstract.(b) An abstract of judgment, recorded af-

ter January 1, 1979, that does not list the socialsecurity number and driver’s license number ofthe judgment debtor, or either of them, as re-quired by subdivision (a) or by Section 4506 ofthe Family Code, may be amended by the re-cording of a document entitled “Amendment toAbstract of Judgment.” The Amendment toAbstract of Judgment shall contain all of the in-formation required by this section or by Section4506 of the Family Code, and shall set forth thedate of recording and the book and page loca-

tion in the records of the county recorder of theoriginal abstract of judgment.

A recorded Amendment to Abstract ofJudgment shall have priority as of the date ofrecordation of the original abstract of judgment,except as to any purchaser, encumbrancer, or les-see who obtained their interest after the recorda-tion of the original abstract of judgment butprior to the recordation of the Amendment toAbstract of Judgment without actual notice ofthe original abstract of judgment. The purchaser,encumbrancer, or lessee without actual notice mayassert as a defense against enforcement of theabstract of judgment the failure to comply withthis section or Section 4506 of the Family Coderegarding the contents of the original abstract ofjudgment notwithstanding the subsequent recor-dation of an Amendment to Abstract of Judg-ment. With respect to an abstract of judgmentrecorded between January 1, 1979, and July 10,1985, the defense against enforcement for failureto comply with this section or Section 4506 ofthe Family Code may not be asserted by the holderof another abstract of judgment or involuntarylien, recorded without actual notice of the priorabstract, unless refusal to allow the defense wouldresult in prejudice and substantial injury as usedin Section 475. The recordation of an Amend-ment to Abstract of Judgment does not extendor otherwise alter the computation of time asprovided in Section 697.310.

(c) (1) The abstract of judgment shall becertified in the name of the judgment debtor aslisted on the judgment and may also include theadditional name or names by which the judg-ment debtor is known as set forth in the affidavitof identity, as defined in Section 680.135, filedby the judgment creditor with the application forissuance of the abstract of judgment. Prior tothe clerk of the court certifying an abstract ofjudgment containing any additional name ornames by which the judgment debtor is knownthat are not listed on the judgment, the court shallapprove the affidavit of identity. If the courtdetermines, without a hearing or a notice, thatthe affidavit of identity states sufficient facts uponwhich the judgment creditor has identified the



additional names of the judgment debtor, thecourt shall authorize the certification of the ab-stract of judgment with the additional name ornames.

(2) The remedies provided in Section697.410 apply to a recorded abstract of a moneyjudgment based upon an affidavit of identity thatappears to create a judgment lien on real prop-erty of a person who is not the judgment debtor.

Summary of Revenue and Taxation CodeSection 2191.3: Tax Liens

Tax collector liens may contain only the lastfour digits of SSNs.

Text of Revenue and Taxation CodeSection 2191.3

2191.3. (a) The tax collector may make thefiling specified in subdivision (b) where either ofthe following occurs:

(1) There is a tax on any of the following:(A) A possessory interest secured only by a

lien on that taxed possessory interest.(B) Goods in transit, not secured by any

lien on real property.(C) Improvements that have been assessed

pursuant to Section 2188.2.(D) Off-roll taxes on escape assessments

where the error was not the fault of the assesseeand the escape taxes are being paid pursuant toSection 4837.5.

(E) Unsecured property not secured by alien on any real property, and where the tax hasbecome delinquent or where there are prior un-paid and delinquent taxes with respect to thatsame property.

(2) A tax has been entered on the unsecuredroll pursuant to Section 482, 531.2, or 4836.5, ortransferred to the unsecured roll pursuant to anyprovision of law.

(b) A filing for record without fee in theoffice of the county recorder of any county of acertificate specifying the amount due, the name,the last four digits of his or her federal socialsecurity number, if known, and last known ad-dress of the assessee liable for the amount, andcompliance with all provisions of this division

with respect to the computation and levy of thetax if compliance has in fact occurred. The pro-cedure authorized by this section is cumulative tothe procedure provided by Sections 2951 and3003. The county recorder shall, within 30 daysafter a filing as described in this subdivision withrespect to delinquent taxes on unsecured prop-erty, send a notice of the filing to the assessee atthe assessee’s last known address. The notice shallcontain the information contained in the filing,and shall prominently display on its face the fol-lowing heading:

“THIS IS TO NOTIFY YOU THAT ATAX LIEN HAS BEEN FILED WITH RE-SPECT TO UNSECURED PROPERTY”

20

Appendix 2: Federal LawsAuthorizing or MandatingSSNs

Federal statute General purpose for collecting or using SSN

Government entity and authorized or required use

Tax Reform Act of 197642 U.S.C. 405(c)(2)(c)(i)

General public assistance pro-grams, tax administration,driver’s license, motorvehicleregistration

Authorizes states to collect anduse SSNs in administering anytax, general public assistance,driver’s license, or motor ve-hicle registration law

Food Stamp Act of 19777 U.S.C. 2025(e)(1)

Food Stamp Program Mandates the secretary of ag-riculture and state agencies torequire SSNs for program par-ticipation

Deficit Reduction Act of 198442 U.S.C. 1320b-7(1)

Eligibility benefits under theMedicaid program

Requires that, as a condition ofeligibility for Medicaid benefits,applicants for and recipients ofthese benefits furnish theirSSNs to the state administer-ing program

Comprehensive OmnibusBudget Reconciliation Act of198620 U.S.C. 1091(a)(4)

Financial Assistance Requires students to providetheir SSNs when applying forfederal student financial aid

The following list of federal laws authorizing or mandating the collection and use of Social Securitynumbers is not comprehensive. It is taken from a report of the U.S. Government AccountabilityOffice, Social Security Numbers: Federal and State Laws Restrict Use of SSNs, Yet Gaps Remain (GAO-05-1016T of September 15, 2005).



Federal Statute General purpose for collecting

or using SSN

Government entity and

authorized or required use

Housing and Community De-velopment Act of 198742 U.S.C. 3543(a)

Eligibility for HUD programs Authorizes the secretary of theDepartment of Housing andUrban Development to re-quire applicants and partici-pants in HUD programs tosubmit their SSNs as a condi-tion of eligibility

Family Support Act of 198842 U.S.C. 405(c)(2)(C)( ii)

Issuance of birth certificates Requires states to obtain par-ents’ SSNs before issuing abirth certificate unless there isgood caue for not requiring thenumber

Technical and MiscellaneousRevenue Act of 198842 U.S.C. 405(c)(2)(D)(i)

Blood donation Authorizes states and politicalsubdivisions to require thatblood donors provide theirSSNs

Food, Agriculture, Conserva-tion, and Trade Act of 199042 U.S.C. 405(c)(2)(C)

Retail and wholesale businessesparticipation in food stampprogram

Authorizes the secretary ofagriculture to require the SSNsof officers or owners of retailand wholesale food concernsthat accept and redeem foodstamps

Omnibus Budget Reconcilia-tion Act of 199038 U.S.C. 5101(c)

Eligibility for Veterans Affairscompensation or pensionbenefitsprograms

Requires individuals to providetheir SSNs to be eligible forDepartment of Veterans Af-fairs’ compensation or pensionbenefits programs

Social Security Independenceand Program ImprovementsAct of 199442 U.S.C. 405(c)(2)(E)

Eligibility of potential jurors Authorizes states and politicalsubdivisions of states to useSSNs to determine eligibilityof potential jurors

22

Federal statute

Personal Responsibility andWork Opportunity Reconcili-ation Act of 199642 U.S.C. 666(a)(13)

General purpose for collecting

or using SSN

Various license applications;divorce and child supportdocuments; death certificates

Gpvernmemt entity and

authorized or required use

Mandates that states have lawsin effect that require collectionof SSNs on applications fordriver’s licenses and other li-censes; requires placement inthe pertinent records of theSSN of the person subject toa divorce decree, child supportorder, paternity determination;requires SSNs on death certifi-cates; creates national databasefor child support enforcementpurposes

Debt Collection ImprovementAct of 199631 U.S.C. 7701(c)

Persons doing business with afederal agency

Requires those doing businesswith a federal agency, i.e., lend-ers in a federal guaranteed loanprogram; applicants for federallicenses, permits, right-of-ways,grants, or benefit payments;contractors of an agency andothers to furnish SSNs to theagency

Higher Education Act Amend-ments of 199820 U.S.C. 1090(a)(7)

Financial assistance Authorizes the secretary ofeducation to include the SSNsof parents of dependent stu-dents on certain financial assis-tance forms

Internal Revenue Code(variousamendments)26 U.S.C. 6109

Tax returns Authorizes the commissionerof the Internal Revenue Serviceto require that taxpayers in-clude their SSNs on tax returns



Appendix 3: Federal LawsRestricting Disclosure ofSSNsThe following list of federal laws that restrict thedisclosure of Social Security numbers is notcomprehensive. It is taken from a U.S.Government Accountability Office report, SocialSecurity Numbers: Government Benefits fromSSN Use but Could Provide BetterSafeguards (GAO-02-352, May 2002).

The Freedom of Information Act (5 U.S.C.552)

This act establishes a presumption thatrecords in the possession of agencies and de-partments of the executive branch of the federalgovernment are accessible to the people. FOIA,as amended, provides that the public has a rightof access to federal agency records, except forthose records that are protected from disclosureby nine stated exemptions. One of these exemp-tions allows the federal government to withholdinformation about individuals in personnel andmedical files and similar files when the disclosurewould constitute a clearly unwarranted invasionof personal privacy. According to Departmentof Justice guidance, agencies should withholdSSNs under this FOIA exemption. This statutedoes not apply to state and local governments.

The Privacy Act of 1974 (5 U.S.C. 552a)The act regulates federal government agen-

cies’ collection, maintenance, use and disclosureof personal information maintained by agenciesin a system of records.1 The act prohibits thedisclosure of any record contained in a systemof records unless the disclosure is made on thebasis of a written request or prior written con-sent of the person to whom the records per-tains, or is otherwise authorized by law. The actauthorizes 12 exceptions under which an agencymay disclose information in its records. How-

ever, these provisions do not apply to state andlocal governments, and state law varies widelyregarding disclosure of personal information instate government agencies’ control. There is onesection of the Privacy Act, section 7, that doesapply to state and local governments. Section 7makes it unlawful for federal, state, and localagencies to deny an individual a right or benefitprovided by law because of the individual’s re-fusal to disclose his SSN. This provision doesnot apply (1) where federal law mandates disclo-sure of individuals’ SSNs or (2) where a law ex-isted prior to January 1, 1975 requiring disclo-sure of SSNs, for purposes of verifying the iden-tity of individuals, to federal, state or local agen-cies maintaining a system of records existing andoperating before that date. Section 7 also requiresfederal, state and local agencies, when requestingSSNs, to inform the individual (1) whether dis-closure is voluntary or mandatory, (2) by whatlegal authority the SSN is solicited, and (3) whatuses will be made of the SSN. The act contains anumber of additional provisions that restrict fed-eral agencies’ use of personal information. Forexample, an agency must maintain in its recordsonly such information about an individual as isrelevant and necessary to accomplish a purposerequired by statute or executive order of the presi-dent, and the agency must collect information tothe greatest extent practicable directly from theindividual when the information may result in anadverse determination about an individual’s rights,benefits and privileges under federal programs.

The Social Security Act Amendments of1990 (42 U.S.C. 405(c)(2)(C)(viii))

A provision of the Social Security Act barsdisclosure by federal, state and local governmentsof SSNs collected pursuant to laws enacted on

24

or after October 1, 1990. This provision of theact also contains criminal penalties for “unautho-rized willful disclosures” of SSNs; the Depart-ment of Justice would determine whether toprosecute a willful disclosure violation. Becausethe act specifically cites willful disclosures, care-less behavior or inadequate safeguards may notbe subject to criminal prosecution. Moreover,applicability of the provision is further limited inmany instances because it only applies to disclo-sure of SSNs collected in accordance with lawsenacted on or after October 1, 1990. For SSNscollected by government entities pursuant to lawsenacted before October 1, 1990, this provisiondoes not apply and therefore, would not restrictdisclosing the SSN. Finally, because the provisionapplies to disclosure of SSNs collected pursuantto laws requiring SSNs, it is not clear if the pro-vision also applies to disclosure of SSNs col-lected without a statutory requirement to do so.This provision applies to federal, state and localgovernmental agencies; however, the applicabil-ity to courts is not clearly spelled out in the law.

California Office of Privacy Protectionwww.privacy.ca.gov

Office of Information Security and Privacy Protectionwww.oispp.ca.gov

State and Consumer Services Agencywww.scsa.ca.gov

recommended practices on protecting the … practices on protecting the confidentiality of social...

Documents