Effective January 3, 2009, the New York Labor Law prohibits employers from publicly displaying employee Social Security Numbers ("SSNs"), printing employee SSNs on identification cards, and communicating to the general public employee SSNs or "personal identifying information." Previously, as you may recall, in February 2008, a Proskauer Law & the Workplace Client Alert discussed the amendments to the New York General Business Law protecting the confidentiality of SSNs by placing limitations on businesses' use and dissemination of such private information. This Client Alert addresses the new amendments to New York Labor Law, as well as the existing legal limitations on businesses' dissemination of SSNs.
New York Labor Law § 203-d
As enacted, Labor Law § 203-d restricts employers' use and dissemination of employee SSNs, as well as other "personal identifying information." Specifically, employers may not, unless otherwise required by law:
- Publicly post or display an employee's SSN;
- Visibly print a SSN on any ID badge or card, including time card;
- Place a SSN in files with unrestricted access; or
- Communicate an employee's personal identifying information to the general public.
N.Y. Lab. Law § 203-d.
Employers should note that the statute broadly defines "personal identifying information" to include an employee's SSN, home address or phone number, personal e-mail address, Internet ID or password, parent's surname prior to marriage, or driver's license number. The law also prohibits the use of SSNs as an ID number for the purposes of any occupational licensing.
The law imposes a civil penalty of up to $500 for any knowing violation of the statute. A violation will be presumed to be "knowing" if an employer failed to establish any policies or procedures to safeguard against such a violation, including procedures to notify relevant employees of the law.
New York Social Security Number Protection Law
As you may recall from our Client Alert in February 2008, the General Business Law was amended to prohibit any "person, firm, partnership, association or corporation" from using and disseminating an individual's SSN to further the public policy of protecting the confidentiality of this information. As such, the New York Social Security Number Protection Law requires that employers take steps to ensure that access to an individual's SSN is limited only to the entity's officers or employees who have a legitimate business need for such information. In addition, employers must provide appropriate safeguards to prevent unauthorized access to an individual's SSN and to protect its confidentiality. N.Y. Gen. Bus. Law § 399-dd. Concomitantly, this law includes a number of exceptions that appear to permit use of an individual's SSN on employment applications and related official personnel/payroll information forms, medical and other welfare benefit claim forms, pension or annuity benefit applications, COBRA forms, and survivor annuity waiver forms, to name but a few.
For more information on the New York Social Security Number Protection Law, please see our February 2008 Client Alert, click here.
Other Important Provisions of Bill No. S8376A
In addition to amending the New York Labor Law, Bill No. S8376A also amended the New York General Business Law to prohibit encoding or embedding SSNs in or on a card or document in place of removing the SSN as required. It also prohibits the filing of documents available for public inspection that contain a SSN of any other person, unless the other person has consented, or where required by law.
Bill No. S8376A also amended the New York Public Officers law to extend to public entities the prohibitions on communication of SSNs, which are already applicable to private businesses. However, this law does not become effective until January 1, 2010.
Finally, the Penal Law was amended to enable victims of identity theft to obtain restitution for the time they spend fixing their credit and financial history.
Best Practice Tips For Employers
Although employers must still collect SSNs and other personal identifying information, employers should adopt internal procedures and safeguards to ensure that access to this information is restricted, and is available only to employees and officers with a legitimate or necessary business purpose. Employers should review their use of SSNs and other personal identifying information to ensure that adequate protection is in place. In addition, employers should review their privacy policies and ensure that all relevant directors, managers, and supervisors have a thorough understanding of such policies. Finally, if your business has not already done so, consideration should be given to adopting a written protocol that is practical for the culture and nature of the business in order to ensure the confidentiality of and restrict access to "personal identifying information," and employee SSNs, except as otherwise permitted by law. Such a protocol, for example, might restrict access to the Human Resources Department, Officers of the business, and/or managers and supervisors who require access to this information for purposes of conducting the entity's business or plan administration.
Given the strong public policy considerations underlying enactment of New York Labor Law § 203-d, and the Social Security Number Protection Law, employers who take a broad interpretation of both laws, and who make a good effort to adopt written confidentiality protocols governing the use of SSNs and employee personal identifying information will be in a good position to avoid liability.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.