S03263'03 * (S-4)

SB-0795, As Passed Senate, December 10, 2003

SUBSTITUTE FOR

SENATE BILL NO. 795

A bill to establish the social security number privacy act

in the state of Michigan; to prescribe penalties and civil

sanctions; and to provide remedies.

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

1 Sec. 1. This act shall be known and may be cited as the

2 "social security number privacy act".

3 Sec. 2. As used in this act:

4 (a) "Depository institution" means a state or nationally

5 chartered bank or a state or federally chartered savings and loan

6 association, savings bank, or credit union.

7 (b) "Disclose" means to communicate or show to another person

8 through the use of any medium of communication.

9 (c) "Financial institution" means a depository institution,

10 an affiliate of a depository institution, a licensee under the

11 consumer financial services act, 1988 PA 161, MCL 487.2051 to

1 487.2072, 1984 PA 379, MCL 493.101 to 493.114, the motor vehicle

2 sales finance act, 1950 (Ex Sess) PA 27, MCL 492.101 to 492.141,

3 the secondary mortgage loan act, 1981 PA 125, MCL 493.51 to

4 493.81, the mortgage brokers, lenders, and servicers licensing

5 act, 1987 PA 173, MCL 445.1651 to 445.1684, or the regulatory

6 loan act of 1963, 1939 PA 21, MCL 493.1 to 493.24, or a seller

7 under the home improvement finance act, 1965 PA 332, MCL 445.1101

8 to 445.1431, or the retail installment sales act, 1966 PA 224,

9 MCL 445.851 to 445.873.

10 (d) "Medium of communication" includes, but is not limited

11 to, the internet, or a computer, computer network, computer

12 program, or computer system, as those terms are defined in

13 section 2 of 1979 PA 53, MCL 752.792.

14 (e) "Person" means an individual, partnership, limited

15 liability partnership or company, association, corporation,

16 public or nonpublic elementary or secondary school, trade school,

17 vocational school, community or junior college, college,

18 university, state or local governmental agency or department, or

19 other legal entity.

20 (f) "Publicly display" means to exhibit, hold up, or set out

21 for open view to members of the public or in a public manner.

22 (g) "Third party" means a person who is not any of the

23 following:

24 (i) A parent or legal guardian of an individual whose social

25 security number is disclosed.

26 (ii) An employee or agent of a person to which an

27 individual's social security number is disclosed, if all of the

Senate Bill No. 795 as amended December 10, 2003

1 following are met:

2 (A) The employee or agent is authorized to have access to

3 personal information in his or her official capacity as an

4 employee or agent <<and uses the information in accordance with that authorization>>.

5 (B) The person has a <<written>> privacy policy in place making personal

6 information confidential and prohibiting the unlawful disclosure

7 of social security numbers.

8 (C) The person has <<provided>> the privacy policy to the

9 employee or agent.

10 (iii) A vendor or independent contractor of a person to which

11 an individual's social security number is disclosed, if the

12 vendor or independent contractor is authorized by the <<person>>

13 to have access to that information and both the person and the

14 vendor or contractor have a privacy policy in place making that

15 information confidential and prohibiting the unlawful disclosure

16 of social security numbers.

17 Sec. 3. (1) Except as provided in subsections (2) and (3),

18 a person shall not knowingly do any of the following with all or

19 more than 4 sequential digits of the social security number of an

20 employee, student, or other individual:

21 (a) Disclose it to a third party.

22 (b) Publicly display or include it in any document or

23 information mailed or otherwise sent to an individual if it is

24 visible on or from outside of the envelope or packaging.

25 (c) Use it as the primary identification number for the

26 individual or his or her account, including, but not limited to,

27 printing or using it on any membership card. If a person has

Senate Bill No. 795 as amended December 10, 2003

1 implemented or implements a plan or schedule for elimination by a

2 certain date of the use of all or more than 4 sequential digits

3 of the social security numbers of its employees or students or

4 other individuals, then this subdivision does not apply to that

5 person until January 1, 2006, or the completion date specified in

6 that plan or schedule, whichever is earliest.

7 (d) Require an individual to use or transmit it over the

8 internet or a computer system or network unless the connection is

9 secure or the transmission is encrypted, and a password or other

10 unique personal identification number or other authentication

11 device is first required to gain access to the website.

12 (e) Include it in any document or information mailed to an

13 individual, unless any of the following apply:

14 (i) State or federal law, rule, or regulation authorizes,

15 permits, or requires that a social security number appear in the

16 document.

17 (ii) The document is sent as part of an application or

18 enrollment process.

19 (iii) The document is sent to establish, amend, or terminate

20 an account, contract, or policy or to confirm the accuracy of a

21 social security number <<of an individual with an account, contract, or policy>>.

22 (2) This section does not apply if any of the following

23 apply:

24 (a) An individual or the individual's parent or legal

25 guardian consents to a disclosure of the individual's social

26 security number to a third party or for a use described in

27 subsection (1)(e) after being fully informed of the reasons for

Senate Bill No. 795 as amended December 10, 2003

1 the disclosure or use of the social security number.

2 (b) A disclosure, display, or other use of the individual's

3 social security number is authorized or required by state or

4 federal statute, rule, or regulation or by court order or rule.

5 (c) A disclosure of an individual's social security number by

6 a law enforcement agency as part of a criminal investigation or

7 prosecution.

8 (d) A disclosure or distribution by a county register of

9 deeds office of a copy of a public record filed or recorded with

10 that office that includes an individual's social security

11 number <<to a person entitled to that documentation>>.

12 (3) Subsection (1)(a) does not apply to any of the following

13 disclosures of a social security number to a third party who has

14 a written privacy policy making use of that social security

15 number confidential:

16 (a) By a person providing health benefits or an employment

17 benefit plan or payroll plan.

18 (b) By a person when determining an individual applicant's

19 suitability for an employment opportunity.

20 (c) By a person in lawful pursuit or enforcement of a

21 person's legal rights, including the audit, collection,

22 investigation, or transfer of a debt, claim, receivable, or

23 account or an interest in a receivable or account.

24 (d) By a person who is subject to and regulated by a statute

25 administered by a regulatory board or officer acting under

26 authority of this state or the United States that confers

27 exclusive jurisdiction on that regulatory board or officer to

Senate Bill No. 795 as amended December 10, 2003

1 authorize, prohibit, or regulate the transactions and conduct of

2 that person, if the act does not violate state or federal law.

3 The statutes described in this subdivision include, but are not

4 limited to, any state or federal statute governing a financial

5 institution and the insurance code of 1956, 1956 PA 218, MCL

6 500.100 to 500.8302. However, the disclosure must be for 1 of

7 the following purposes:

8 (i) Verification of identity or other administrative purpose

9 related to a transaction, product, or service or proposed

10 transaction, product, or service, including investigating and

11 checking the individual's credit <<, claim, or driving>> history.

12 (ii) Detecting, preventing, or deterring a financial crime,

13 identity theft, or the funding of a criminal activity.

14 (e) By a person who is a vendor or contractor of a person

15 described in subdivision (a), (b), (c), or (d).

16 Sec. 4. (1) A person who knowingly violates this act is

17 guilty of a misdemeanor punishable by imprisonment for not more

18 than 93 days or a fine of not more than $1,000.00, or both.

19 (2) An individual may bring a civil action against a person

20 who violates this act and may recover actual damages or

21 $1,000.00, whichever is greater, plus reasonable attorney fees.

22 Enacting section 1. This act takes effect March 31, 2004.