New Law Attacks ID Theft

HOLLANDMichigan‘s new Social Security Number Privacy Act has shifted the burden of identity theft from consumers to the business community.

The act is designed to protect citizens from identity theft by imposing stricter obligations on entities that collect Social Security numbers and tougher penalties for ID-theft related crimes.

The new legislation, which went into effect March 1, is a package of 11 laws that updates the state’s previous statutes for identity theft.

“The overall objective of the law on a cost benefit basis is to require businesses to keep Social Security numbers confidential because of the increasing cost to society of identity theft,” said Mark Zietlow, a senior attorney in Butzel Long’s Holland office.

The Social Security Number Privacy Act prohibits the display of Social Security numbers on bank and credit accounts, health insurance cards, permits, licenses, ID cards and badges. It further prohibits the “public display” and “visible printing” of more than four sequential digits of an employee’s, student’s or individual’s Social Security number on an account, permit, license or ID card.

The act applies to all Michigan companies, associations, schools, government agencies and other legal entities, and imposes civil and criminal penalties for non-compliance.

“Basically, it’s just changing the way companies are doing business and limiting the public display of information,” Zietlow said. “There are circumstances where Social Security numbers can still be required and used by companies, and generally those would be in the employment context.”

Though the numbers can’t be publicly displayed anymore, they can still be required in regard to health insurance membership benefits, retirement plans and 401(k) plans, Zietlow observed.

He said companies could also request Social Security numbers for use in background checks, identity checks or any other situation where an individual’s identity has to be verified — as part of immigration requirements, for instance.

According to a House Fiscal Agency legislative analysis, it can take victims of identity theft months or even years to clear their names and undo the damage done by someone who steals personal data and conducts business and personal transactions under their name. Some victims have lost job opportunities, been refused loans or even been arrested for crimes they didn’t commit.

“A person typically doesn’t find out his Social Security number has been stolen until later — when he starts receiving overdue notices or his application for credit is denied,” Zietlow said. One of his clients, for instance, was unaware his Social Security number had been stolen until he started receiving overdue tax notices from the IRS.

“This individual found out a year after the fact that 13 people in the United States were using his Social Security number and had reported that to their employer. So the employer was filing W2s under that Social Security number with the IRS. This individual was said to have $75,000 in unpaid federal income taxes because he had all of this reported income.”

Victims report spending an average of 600 hours and more than $1,000 in the process of trying to clear their names. The Federal Trade Commission estimates that identity theft nationwide cost businesses and consumers $53 billion in 2002.

The new law forces companies to evaluate how they use Social Security numbers in their business and how they are going to protect personal data from being made public, Zietlow said.

“If you have them on a computer system or network, or use the numbers in connection with an Internet-based business, you have to look at how you use information. That may require changing the way they’re used or limiting the number of digits used in Social Security numbers.”

It seems that the crime of identity theft most often stems from the business community. The House Fiscal Agency points to recent research by MichiganStateUniversity that suggests “up to 70 percent of identity theft” can be traced back to an employee or business owner stealing identifying information from customers.

By Jan. 1, 2006, additional limitations on use of Social Security numbers will go into effect, and by that date any business or individual that has to obtain one or more Social Security numbers in the ordinary course of business must have a privacy policy in place to ensure confidentiality of the numbers. Zietlow said for most businesses, putting together a privacy policy probably won’t involve either significant cost or time.

“The policy should be a broad-based statement, and employees should be trained in that objective. So as a general rule, you must ensure confidentiality and prevent unlawful disclosure of the numbers.”

Second, he said, a company should ensure that only a limited number of people have access to Social Security numbers and other personal information. Third, a company should have a policy that governs how records containing Social Security numbers are kept and how they are disposed of.

“One of the problems that we’ve seen is the Dumpster-diving issue. A lot of companies aren’t really careful of how they dispose of information,” Zietlow noted. “In a lot of cases we hear about companies throwing documents in a Dumpster, and then people get a hold of that information and apply for Social Security cards under those numbers.”

A company should also establish penalties for violation of the policy. Zietlow pointed out that the new legislation exposes companies to lawsuits they hadn’t been exposed to previously, because a provision of the act allows individuals to bring a civil action.

“It’s going to create an incentive for plaintiffs’ attorneys to take a long look at the law, because it provides that reasonable attorney fees can be collected for knowing violations of the law,” he said.

“So I can see where plaintiff attorneys will look at this in much the same way that the Michigan Consumer Protection Act is used in bringing actions for actual damages of $1,000 or more and reasonable attorney fees.”

Zietlow said a company can limit its liability if it adopts a private policy, uniformly enforces it and takes action to prevent the re-occurrence of violations.

“That provides an employer with an out to escape these civil lawsuits under the act.”