A California law intended to stem the rising tide of identity theft based on improper access to an individual’s Social Security number (SB 168, Chapter 720 of the statutes of 2001) will affect retirement and health benefit plans that cover residents of California as well as written employee communications by California employers.

Background: What the Law Requires (and Does Not Require)

The law bans a "person" or "entity" from doing the following:

• Publicly posting or displaying Social Security numbers;
• Printing a Social Security number on an identification card required to access products or services;
• Requiring a person to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted;
• Requiring a person to use his or her Social Security number to access a Web site unless a password, PIN or other method of unique identification is used in conjunction with the Social Security number;
• Printing an individual’s Social Security number on mailings to the individual unless required by state or federal law. Notwithstanding this provision, applications and forms sent by mail may include Social Security numbers.

The law does not apply to California state and local agencies and does not stop the collection, use or release of a Social Security number if required by state or federal laws. However, there is no exemption for employers, sponsors of ERISA plans or plan service providers (e.g., third party administrators).

Implications

The following are among the implications and possible effects of SB 168 for employee benefit plans:

• The use of Social Security numbers on identification cards will be eliminated.
• The use of Social Security numbers on health plan explanation of benefit (EOB) forms and other correspondence to individuals will be eliminated.
• Health insurers, health maintenance organizations (HMOs) and pharmacy benefit managers (PBMs) may need to modify how their information systems use Social Security numbers.
• Retirement plan communications, including benefit statements, will be affected if they include Social Security numbers.
• Employers that send documents to employees containing their Social Security numbers (e.g., open enrollment materials) will need to review whether Social Security numbers may still be included.

Employers and plan sponsors should examine SB 168 and determine how it affects the communications they provide to employees, plan participants and beneficiaries. (Communications between a plan sponsor and its vendor are generally not affected because the law affects information sent to consumers.) Multi-state employers and plan sponsors will need to decide whether they intend make changes only for employees and participants who reside in California or for all employees and participants.

Plan sponsors and employers need to seek advice of legal counsel regarding the interpretation and implementation of SB 168. This is especially important since there is no state agency with authority to issue regulations that would clarify the meaning of the law. For example, there are unanswered questions about the application of the law to plan sponsors and employers located outside of California. However, the Office of Privacy within the California Department of Consumer Affairs will be publishing guidelines by July 1, 2002, which will include recommended business practices. To visit the Office of Privacy’s Web site, click here. A major question for employee benefit plans that are subject to ERISA is whether the new state law is pre-empted as to them.

Effective Dates

The law is generally effective July 1, 2002, but includes staggered effective dates between January 1, 2003 and July 1, 2005 for the health care industry. For new employer groups, the effective date is January 1, 2004. For individual and employer group policyholders in existence prior to January 1, 2004, the effective date is the renewal date (no later than July 1, 2005).

Insurers, HMOs, PBMs, health care providers (i.e., physicians, hospitals and other providers of medical services) and “contractors” (e.g., medical groups, independent practice associations and medical service organizations) must all comply.

Although multiemployer health and welfare plans and self-insured employer-sponsored health plans are not specifically listed in the group of entities with a later effective date, it has been suggested that the staggered effective dates would apply to self-insured group health plans and their administrators because they are in the health care industry. This, of course, squarely raises the ERISA preemption question.

Penalties Unclear

SB 168 is silent on the issue of penalties or enforcement procedures if a person or entity fails to comply with its provisions.

Outlook: Similar Legislation and ERISA Preemption

Similar laws are pending in Congress and at least two other states. Consequently, restrictions on the use of Social Security numbers are likely to spread to jurisdictions beyond California. However, the impact of ERISA on these types of laws is unclear at this time.

Compliance Alert, The Segal Company’s periodic electronic newsletter summarizing important developments affecting benefit plan compliance, is for informational purposes only. It is not intended to provide authoritative guidance. On all issues involving the interpretation or application of laws and regulations, plan sponsors should rely on their attorneys for legal advice.

Back to Top