Effective October 1, 2008, Connecticut will require persons collecting personal information, including employers, to undertake certain procedures designed to protect employees and consumers from whom information is gathered. Public Act No. 08-167, titled “An Act Concerning the Confidentiality of Social Security Numbers,” was approved on June 10, 2008, and consists of two primary mandates.

First, persons in possession of the “personal information” of others must safeguard the media containing the information and destroy or render unreadable such media prior to disposal.

Secondly, persons who collect Social Security numbers in the course of business must create and publish or publicly display a privacy protection policy. This public display may include posting on an Internet web site, and the privacy protection policy must ensure confidentiality, prohibit unlawful disclosure, and limit access of Social Security numbers.

The Act defines “personal information” as information capable of being associated with a particular individual through one or more identifiers, which include Social Security numbers, driver’s license numbers, state ID numbers, and other common identifiers. However, “personal information” does not include publicly available information made available through government records or widely distributed media.

Enforcement of the Act is carried out through the Connecticut Department of Consumer Protection unless a person holds a license, registration, or certificate issued by another state agency, in which case that agency will enforce the legislation. Persons violating the provisions are subject to a civil penalty of $500 per violation, with the penalty not to exceed $500,000 for any single event.


The Act is available here.