This advisory summarizes selected federal and state legislative developments affecting business uses of Social Security numbers (“SSNs”) and the liability of retail merchants to financial institutions in the event a merchant suffers a breach of data security.
Social Security Number Restrictions
Federal Legislation. Two key committees of the U.S. House of Representatives – the Ways and Means Committee and the Energy and Commerce Committee – reported bills to the House floor this past summer that would restrict the purchase, sale, display and disclosure of SSNs. It is anticipated that one or both of these bills, or some combination of the two, will be considered on the floor this fall and may pass the House prior to the end of this year’s session.
Unlike the House committees, which held hearings on their SSN bills and had substantial member involvement in the consideration of those bills, the Senate committees with jurisdiction over uses of SSNs have not yet taken up separate SSN bills. The Senate Commerce Committee, however, did report a comprehensive data security bill with an amendment that inserted certain restrictions on the use and display of SSNs. It appears, however, that movement in the Senate of either the Commerce Committee’s data security bill or separate SSN legislation could be delayed as the relevant committees and Senate leadership focus on other priorities for the remainder of the year.
The three, key federal bills addressing SSNs that may be further considered are:
- H.R. 948, The Social Security Number Protection Act, reported by the House Committee on Energy and Commerce on June 13, 2007;
- H.R. 3046, The Social Security Number Privacy and Identity Theft Prevention Act, reported by the • House Committee on Ways and Means on September 24, 2007; and
- S. 1178, The Identity Theft Prevention Act, reported by the Senate Committee on Commerce, • Science, and Transportation on April 25, 2007.
The stated public policy goal of all three proposals is to reduce the occurrence of identity theft by restricting access to SSNs – numbers that are often used to commit the crime. However, some provisions of the proposed federal legislation are drafted broadly enough that they may also limit the ability of legitimate businesses to use SSNs for what are currently lawful purposes. As a result, affected businesses and their representative trade associations have urged the committees to amend the bills in ways that recognize the necessity of industry to use SSNs to verify the identity of their customers and for other business purposes. While each bill provides a set of exclusions for lawful uses of SSNs, it is unclear whether those exclusions would ultimately be sufficiently broad to ensure that businesses can continue to use SSNs for all of the vital operations in which the numbers are now used.
Federal lobbying efforts by interested businesses, trade associations and consumer advocacy groups are expected to continue this month as the House draws closer to the end of its legislative session and considers more bills on the floor.
State Laws. While Congress considers enacting a new federal law regarding SSNs, more than half of the states have already enacted laws restricting the display and disclosure of SSNs. Nearly all of these laws, however, have exemptions that permit legitimate businesses to continue using SSNs as needed and as required by other laws. Two notable exceptions to this approach are the laws enacted by New York and Minnesota. For example, the newly passed law in New York, which will take effect on January 1, 2008, includes in the definition of an SSN any number “derived from” an SSN. As a result, the law’s restrictions appear to also apply to truncated SSNs (i.e., numbers displaying a subset of a full SSN’s nine digits). In Minnesota, a law that would prohibit the sale of an SSN obtained from a consumer in the course of business created so much controversy that the effective date of the law was postponed until July 1, 2008. It is expected that when the Minnesota legislature reconvenes in the new year, this law will receive significant attention by members as businesses urge them to amend the law to address industry concerns.
Merchant Liability Laws
Minnesota is also the only state, to date, that has enacted a law that would require retail merchants to reimburse financial institutions for the costs to remedy certain harms incurred by their customers as a result of a data security breach suffered by a merchant. Similar legislation that passed the California legislature in September was recently vetoed by Governor Schwarzenegger, and proposed “merchant liability” bills in Texas and Connecticut did not pass prior to the adjournment of those legislatures. Merchant liability bills, however, are still pending in Illinois, Massachusetts and New Jersey, but are not being advanced at this time.
Under the Minnesota law, which passed the legislature on May 18, 2007, and was signed by Governor Pawlenty on May 21, 2007, a merchant that suffers a data security breach affecting Minnesota residents must reimburse the residents’ respective financial institutions for any costs associated with the cancellation or reissuance of debit and credit cards, the blocking of transactions, the closing or reopening of accounts, the issuance of refunds, or any security breach notification delivered to the resident. The new law also contains a provision prohibiting merchants engaged in debit or credit card transactions from retaining “the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or, in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.” While courts have yet to publish opinions regarding the application of this law (in connection with litigation stemming from a merchant’s security breach), it appears that merchants that maintain full compliance with the new law’s data retention provisions may be able to argue in any such litigation that their compliance with these provisions insulates them from additional liability for the remedial costs financial institutions incur. Additionally, while the data retention rules became effective on August 1, 2007, the merchant liability provisions of the law will not become effective until August 1, 2008.