A Legal Guide to PRIVACY AND DATA SECURITY 2024

(3) require an individual to transmit the individual’s Social Security number over the Internet, unless the connection is secure or the Social Security number is encrypted, except as required by titles XVIII and XIX of the Social Security Act and by Code of Federal Regulations, title 42, section 483.20; (4) require an individual to use the individual’s Social Security number to access an Internet website, unless a password or unique personal identification number or other authentication device is also required to access the Internet website; (5) print a number that the person or entity knows to be an individual’s Social Security number on any materials that are mailed to the individual, unless state or federal law requires the Social Security number to be on the document to be mailed. If, in connection with a transaction involving or otherwise relating to an individual, a person or entity receives a number from a third party, that person or entity is under no duty to inquire or otherwise determine whether the number is or includes that individual’s Social Security number and may print that number on materials mailed to the individual, unless the person or entity receiving the number has actual knowledge that the number is or includes the individual’s Social Security number; (6) assign or use a number as the primary account identifier that is identical to or incorporates an individual’s complete Social Security number, except in conjunction with an employee or member retirement or benefit plan or human resource or payroll administration; or (7) sell Social Security numbers obtained from individuals in the course of business. (b) For purposes of paragraph (a), clause (7), “sell” does not include the release of an individual’s Social Security number if the release of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose. The release of a Social Security number for the purpose of marketing is not a legitimate business purpose under this paragraph. (c) Notwithstanding paragraph (a), clauses (1) to (5), Social Security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the Social Security number. Nothing in this paragraph

103

Made with FlippingBook - Online Brochure Maker