SB823: Social security numbers; penalty for intentionally communicating to general public.

SENATE BILL NO. 823
Offered January 10, 2007
Prefiled January 5, 2007
A BILL to amend and reenact §§ 2.2-3800, 59.1-443.2, and 59.1-444 of the Code of Virginia, relating to public dissemination of social security numbers.
Patron-- Devolites Davis

Referred to Committee on General Laws and Technology

Be it enacted by the General Assembly of Virginia:

1.  That §§ 2.2-3800, 59.1-443.2, and 59.1-444 of the Code of Virginia are amended and reenacted as follows:

§ 2.2-3800. Short title; findings; principles of information practice.

A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."

B. The General Assembly finds that:

1. An individual's privacy is directly affected by the extensive collection, maintenance, use and dissemination of personal information;

2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;

3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and

4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.

C. Recordkeeping agencies of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:

1. There shall be no personal information system whose existence is secret.

2. Information shall not be collected unless the need for it has been clearly established in advance.

3. Information shall be appropriate and relevant to the purpose for which it has been collected.

4. Information shall not be obtained by fraudulent or unfair means.

5. Information shall not be used unless it is accurate and current.

6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.

7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase or amend inaccurate, obsolete or irrelevant information.

8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse. On and after July 1, 2004, no agency shall display the social security number of a data subject on a student or employee identification card, except that for universities and colleges that have such a prevention plan for misuse of personal information in place on or before July 1, 2004, in compliance with this section, the date shall be January 1, 2005. On and after July 1, 2006, no agency shall display an individual's entire social security number on any student or employee identification card.

9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used for another purpose.

10. The Commonwealth or any agency or political subdivision thereof shall not collect personal information except as explicitly or implicitly authorized by law.

D. After July 1, 2004, no agency, as defined in § 42.1-77, shall send or deliver or cause to be sent or delivered, any letter, envelope or package that displays a social security number on the face of the mailing envelope or package or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.

E. No person shall intentionally communicate or otherwise make available to the general public another individual's social security number regardless of whether the social security number was obtained from a public record or from a private source.

§ 59.1-443.2. Restricted use of social security numbers.

A. Except as otherwise specifically provided by law, a person shall not:

1. Intentionally communicate an individual's social security number to the general public;

2. Print an individual's social security number on any card required for the individual to access or receive products or services provided by the person;

3. Require an individual to use his social security number to access an Internet website, unless a password, unique personal identification number or other authentication device is also required to access the site; or

4. Send or cause to be sent or delivered any letter, envelope, or package that displays a social security number on the face of the mailing envelope or package, or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package;

5. Intentionally communicate or otherwise make available to the general public another individual's social security number regardless of whether the social security number was obtained from a public record or from a private source.

B. This section does not prohibit the collection, use, or release of a social security number as permitted by the laws of the Commonwealth or the United States, or the use of a social security number for internal verification or administrative purposes unless such use is prohibited by a state or federal statute, rule, or regulation.

C. In the case of any (i) health care provider as defined in § 8.01-581.1, (ii) manager of a pharmacy benefit plan, (iii) insurer as defined in § 38.2-100, (iv) corporation providing a health services plan, (v) health maintenance organization providing a health care plan for health care services, or (vi) contractor of any such person, the prohibition contained in subdivision 2 of subsection A shall become effective on January 1, 2006.

D. This section shall not apply to (i) public bodies as defined in § 2.2-3701 or (ii) records required by law to be open to the public, and shall not be construed to limit access to records pursuant to the Virginia Freedom of Information Act (§ 2.2-3700 et seq.).

E. No person shall embed an encrypted or unencrypted social security number in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the social security number as required by this section.

§ 59.1-444. Damages.

A person aggrieved by a violation of any provision of this chapter, except § 59.1-443.2, shall be entitled to institute an action to recover damages in the amount of $100 per violation. In addition, if the aggrieved party prevails, he may be awarded reasonable attorney's fees and court costs. Actions under this section shall be brought in the general district court for the city or county in which the transaction or other violation that gave rise to the action occurred. A violation of the provisions of § 59.1-443.2 (i) is a prohibited practice under the Virginia Consumer Protection Act (§ 59.1-196 et seq.) and (ii) shall subject the violator to civil penalties of $1,000 per day, with each day being a separate violation.