United States: New York Enacts Social Security Number Protection Law

Last Updated: October 23 2006
Article by Mauricio F. Paez

Consistent with the New York state government’s attempt to counteract the growing threat of identity theft, on September 26, 2006, Governor Pataki enacted legislation placing limits on the use and dissemination of Social Security account numbers (the "NY Social Security Number Protection Law"). Enacted alongside two other measures aimed at thwarting identity theft, the NY Social Security Number Protection Law will impose harsh penalties on companies that fail to protect the confidentiality of Social Security numbers in their possession. These obligations become effective January 1, 2008. This Commentary provides a brief overview of the NY Social Security Number Protection Law.

Social Security Number Protection Statute

The NY Social Security Number Protection Law applies to all nongovernmental bodies, including individuals, corporations, and partnerships. Generally, the legislation restricts the use and communication of Social Security numbers in order to maintain their confidentiality and make it more difficult for criminals to acquire the nine-digit number that uniquely identifies almost all Americans. The statute defines "Social Security number" as the unique number issued to citizens and residents of the United States by the federal Social Security Administration. The statutory definition also encompasses any number derived from an individual’s Social Security number.

The impact of this broad definition is far-reaching. For example, records containing only part of the nine-digit Social Security number also fall under the law’s scope. A great number of businesses currently use the last four digits of a Social Security number. These businesses will have to implement new policies in order to ensure compliance. Generally, the statute regulates two activities: (i) the communication of Social Security numbers; and (ii) the maintenance of records containing Social Security numbers.

Communications Containing Social Security Numbers. A Social Security number is the No. 1 identifier used by criminals in identity theft. Not surprisingly, the increasing use and dissemination of Social Security numbers by businesses in their communications with current and prospective customers have come under fire. Criminals attempt to intercept various communication paths and retrieve confidential information, including Social Security numbers, in order to garner the data needed to steal an identity. The NY Social Security Number Protection Law regulates five realms of communication to minimize the interception of sensitive information by criminals: (i) communications to the public; (ii) access cards used for services, benefits, and products; (iii) transmission over the internet; (iv) internet access and authentication; and (v) mail correspondence.

First, the statute makes it illegal to intentionally communicate a Social Security number to the general public (although it permits individuals to disclose their own Social Security numbers as they deem appropriate). This provision is technology-neutral and encompasses all forms of communication, both oral and written.

The second aspect of the legislation prohibits making the access of services, benefits, or products contingent on the use of access cards or tags printed with an individual’s Social Security number. Typical violations include health-care providers issuing membership cards printed with the cardholder’s Social Security number and employers issuing building-access cards with the employee’s Social Security number, or even a portion thereof.

The third and fourth components of the legislation specifically target the use and dissemination of Social Security numbers over the internet. The statute prohibits companies from requiring an individual to transmit his or her Social Security number over the internet unless the connection is secure or the Social Security number itself is encrypted. The lack of clarity in the statute’s requirements for encrypted transfers and secure connections provides incentive for companies to ensure that their current encryption and security protocols are, at a minimum, on par with current industry standards.

Furthermore, the new law does not permit the use of Social Security numbers for authentication purposes only. For example, companies are prohibited from requiring a Social Security number as a password to access a web site. Web-site accessibility must not be based solely on a Social Security number, or even a partial derivative of one. This ensures that potentially sensitive online information cannot be accessed by compromised Social Security numbers – a protection that benefits both consumers and businesses. In conjunction with the identifying Social Security number, web sites must use a unique password, PIN, or similar authentication device in order to establish and authenticate the identity of the user. By reducing, or even eliminating, the use of Social Security numbers for accessing online services, businesses can minimize their risk exposure to the new law.

The fifth and final communication element of the statute regulates the use of Social Security numbers in mail correspondence with individuals. Although the statute places a blanket prohibition on mailing material printed with an individual’s Social Security number, numerous exceptions apply. Documents printed with an individual’s Social Security number may be mailed if mandated by federal or state law. Additionally, forms or applications, including those used to establish or cancel accounts, may still contain an individual’s Social Security number if the number is contained inside a sealed envelope and cannot be viewed unless the envelope is opened. This necessarily means that any type of postcard or similar document containing a Social Security number that is plainly viewable can no longer be sent in the mail without first being placed in an envelope. Mail-order catalogues, magazines, and similar marketing devices are particularly at risk in this category because mailing labels may contain a subscriber’s partial or entire Social Security number. Companies should be aware that even a number based on an actual Social Security number exposes them to liability under the new law.

Access to Social Security Numbers. In addition to regulating communications containing an individual’s Social Security number, the NY Social Security Number Protection Law requires companies to adopt reasonable measures to limit access to Social Security numbers in their possession. Specifically, employees accessing Social Security numbers must have a legitimate business purpose for doing so. Unfortunately, the statute does not define these reasonable measures. In light of the overall objective of the legislation, companies will need to ensure that employee access to Social Security numbers be kept to an absolute minimum. Moreover, companies must store Social Security numbers in a manner designed to preclude unauthorized access and to ensure confidentiality. Adherence to these security measures is a defense against alleged violations of the unsecured communication obligations noted above.

Statutory Exceptions and Defenses. The NY Social Security Number Protection Law specifically exempts encrypted Social Security numbers from its scope. Proper use of encryption techniques and operational controls may permit companies to safely store and transmit Social Security numbers outside the purview of the statutory requirements. Additionally, the statute expressly exempts the collection, use, or release of an individual’s Social Security number if it is required by federal or state law and for a company’s general administrative purposes, internal verification, or fraud investigation. Moreover, use of a Social Security number in relation to a business function authorized by the Gramm-Leach-Bliley Act (15 U.S.C. § 6802) is exempt from the NY Social Security Number Protection Law.

Consequences of Noncompliance

Companies and individuals that violate the NY Social Security Number Protection Law face several penalties. The statute authorizes the New York state attorney general to initiate a claim against suspected violators and to seek a judicially imposed suspension of the violating practices for the duration of the proceeding. If these practices are unlawful, the court may permanently suspend the violating activities. Furthermore, a court has the discretion to levy civil fines for violations of any of the five statutory provisions relating to the communication of Social Security numbers. First-time violators face a penalty of $1,000 per violation, up to a maximum of $100,000 for multiple violations resulting from a single incident, such as when a hacker gains access to multiple Social Security numbers at once. Second-time violators face penalties of $5,000 per violation, with a maximum of $250,000 for multiple violations resulting from a single incident. Imposition of these penalties can occur even if the individual whose Social Security number was compromised did not suffer personal harm. Although the new law does not give a cause of action to individuals nor allow them to compel the attorney general to sue, other laws exist that may expose companies to additional liability.

It is important to note that the NY Social Security Number Protection Law makes any waiver void and unenforceable. However, there are some defenses available. Companies may assert as a defense that the violation was unintentional or that it resulted from a bona fide error. Also, as previously noted, a company can demonstrate that it had implemented reasonable measures to restrict access to the Social Security numbers, in which case it may avoid liability.

Strategies for Compliance

The effects of this new legislation will likely be far-reaching and involve a wide array of companies, partnerships, and individuals. Business organizations should follow a three-part strategy to ensure full compliance by January 1, 2008. Phase One involves an assessment of how, when, and where Social Security numbers are used. The exact audit procedures will be specific to each organization, but some common examples include:

  • Evaluating all standard operating procedures to determine how Social Security numbers are gathered, stored, and used.
  • Examining current customer and employee records to determine whether Social Security numbers are being used as ID numbers to facilitate access to web sites, facilities, services, or benefits.
  • Reviewing all third-party service providers and contracts to determine the extent of their ability to access or use Social Security numbers.
  • Assessing current marketing, accounting, and any other business functions making use of online and traditional mail correspondence, in order to restrict the use of Social Security numbers in any such communication.

Phase Two should involve a determination of whether the use of Social Security numbers is necessary. Where such use is necessary, companies should establish managerial procedures and controls to avoid violating the law. Procedures and controls include:

  • Limiting employee access to Social Security numbers to a "need to know" basis, using passwords and other techniques.
  • Training employees on the importance of ensuring the confidentiality of Social Security numbers as well as the costs associated with the use or dissemination of such information in violation of the law.
  • Implementing policies and controls to monitor access to records containing Social Security numbers and protect them from unauthorized access.

Lastly, companies should employ technological measures to use, store, and communicate Social Security numbers in full compliance with the legislation. Such measures may include:

  • Storing all Social Security numbers and their derivatives in encrypted form to ensure data security.
  • Ensuring secure connections when accessing Social Security numbers over a local network or the internet.
  • Implementing a system that uniquely identifies customers, web-site users, and employees by means of a proprietary alphanumeric format not related to Social Security numbers or other sensitive personal information.
  • Electronically logging all authenticated and unauthenticated access to records containing Social Security numbers, as well as any attempts to access those records.
  • Ensuring the use of adequate encryption algorithms for any Social Security number that is accessible over a local network or the internet.

Conclusion

The NY Social Security Number Protection Law is the latest attempt by the New York state government to thwart the rapid increase in identity-theft crimes by implementing robust legislation that places the onus of data protection on companies. New York is not alone in this regard; several other states have enacted similar legislation aimed at countering identity theft. In 2005, Arizona implemented a law nearly identical to the New York legislation. California, typically an innovator in privacy legislation, has similar restrictions on the use and dissemination of Social Security numbers. Colorado similarly passed Social Security number protection legislation governing not only the activities of individuals and corporations, but also those of the government itself. In Georgia, privacy laws apply to Social Security numbers in addition to other information commonly collected by companies, including driver’s license numbers, dates of birth, and credit information. Additionally, Texas, Connecticut, and Illinois have all enacted legislation limiting private-sector use of Social Security numbers. Companies are encouraged to initiate their compliance strategies quickly to ensure organizationwide acquiescence prior to government enforcement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Mauricio F. Paez
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions