A New Law, An Existing Trend Effective July 1, 2007, Minnesota joins a growing list of states by enacting a new Social Security Number Shield Law. Minnesota statute §235E.59 will require Minnesota businesses to take new steps in order to protect against intentional, and unintentional, disclosure of an individual's social security number (SSN). While some companies already incorporate best practices that are now becoming law, others are discovering just how deep this river runs through their organization. Fifteen other states passed similar laws in 2006 - Minnesota makes sixteen. Almost all remaining states are considering similar legislation for their 2007 session. The new laws will restrict access to SSNs to employees who need that information for processes such as payroll or human resources. Minnesota defines it as: Section 7 (b) A person or entity, not including a government entity, must restrict access to individual Social Security numbers it holds so that only employees who require the numbers in order to perform their job duties have access to the numbers, except as required by titles XVIII and XIX of the Social Security Act and by Code of Federal Regulations, title 42, section 483.20. What sort of challenges can these new laws present? Some are bigger than you may think. Storage Solutions Whichever state you reside, there is an increasing reliability on storing sensitive information electronically. We have the technologies to scan documents, build databases, and send electronic communication with ease. Imagine if your organization has a form that requires somebody to put their SSN front and center on page 1 (note that this is not necessarily a violation of the new legislation). Now imagine that your company took the leap into the digital age and incorporated a technology to scan every form as an image into a database that is accessible by various departments throughout the company. Each department may have different reasons to view different parts of this form, yet they all have the ability to see the SSN on page 1. This will be a violation of the new SSN laws. Another scenario that is more common is the use of SSNs as identifiers when searching for an employee in a database. Staffing firms and other similar industries that are in the business of putting people to work have vast databases of employees that they draw upon when trying to fill open positions. Since people are the "product" of these firms, access to the employee database is necessary for more groups than just payroll and human resources. Agents that work in field offices, recruiters that may be spread across the country, employees in central operations and IT departments all have a need to access this database. Now imagine that one of the key identifiers for each file is a person's SSN, what do you do? Adherence There are two common solutions to adhering to these new laws: 1) Restrict access to existing information to appropriate personnel; or 2) discontinue using full SSNs as identifiers. The second option may take more work but is often the better solution. Rather than adjusting employee access to systems that are working just fine for the company, adjust the systems to no longer display full SSNs to every user. "Access" is the key word in being compliant with this law. Here are some key points to remember for securing SSNs and other confidential information: Discontinue use of SSNs to identify individuals except when federal law requires a SSN to be present Use a truncated SSN (i.e., XXX-XX-1234) Keep data that contains SSNs in a limited access area or password protected databases Conduct criminal background checks on employees that will have access to SSNs as a part of their regular job duties Destroy documents containing SSNs when they are no longer needed Why? "The FTC estimates that as many as 9 million Americans have their identities stolen each year." The Minnesota Attorney General has the authority to investigate violations that are a result of an employer not being compliant with the new law. An employee that is negatively affected by a violation will be able to sue the employer to recover damages. It is in everybody's best interest to protect this information. Whether you reside in Minnesota, or one of the other sixteen states that have already passed this new legislation, you will eventually be affected by this trend. For more information about the risks of identity theft, visit the Federal Trade Commission (http://www.ftc.gov) website. To view the full Minnesota statute that goes into effect July 1, 2007, visit http://www.leg.state.mn.us and search for statute 325E.59. States that passed SSN laws in the 2006 legislative session are AZ, AK, CA, CO, CT, DE, FL, GA, HI, IL, IN, LA, MD, MI, MN, and MO.