Originally published April 24, 2008
In response to the continued wave of identity theft crimes throughout the state, New York enacted the Social Security Number Protection Law, NY Gen. Bus. § 399-dd, effective January 1, 2008. The legislation, which applies to any person, firm, partnership, association or corporation (hereinafter referred to as "company(ies)") - excluding the state or its political subdivisions - is designed to 1) limit a company's publication and dissemination of social security numbers in the ordinary course of business, and 2) require companies to implement safeguards preventing persons from accessing social security numbers, unless they need the information for a legitimate business purpose.
The new legislation defines a social security number as "the number issued by the federal social security administration and any number derived from such numbers," but expressly excludes numbers that have been encrypted. Employers who only reveal the last four digits of an individual's social security number in their business practices must still comply with the law.
With regard to restrictions on the use and dissemination of social security numbers, the legislation prohibits companies from:
- making an individual's social security number available to the general public, intentionally or otherwise
- printing social security numbers on any card or tag required for an individual to access products, services, or benefits provided by the company
- requiring an individual to transmit his/her social security number over the Internet, unless the connection is secure or the number is encrypted
- requiring an individual to use his/her social security number to access an Internet Web site, unless a password, PIN number, or other type of authenticating device is also required for the individual to access the Web site
- printing an individual's social security number on any materials that are mailed to the individual, unless a state or federal law requires the number to be on the document being mailed
Notwithstanding these restrictions, social security numbers may be included in: applications and forms sent by mail; documents that are sent as part of an application or enrollment process; documents being used to establish, amend, or terminate an account, contract, or policy; and documents that are used to confirm the accuracy of a social security number; provided, that the social security number is not visible when being mailed.
The legislation further provides that companies must "take reasonable measures to ensure that no officer or employee has access to [social security numbers] for any purpose other than for a legitimate or necessary [business] purpose . . . [and] provide safeguards necessary or appropriate to preclude unauthorized access to the social security account number and to protect the confidentiality of the number."
The statute does not indicate what types of "measures" and "safeguards" a company must implement, but the penalties for violating the statute are clear and harsh. Violations of items (a) through (e) above carry a monetary penalty of up to $100,000 for multiple violations resulting from a single incident, and up to $250,000 for subsequent violations, where multiple violations result from a single incident. There is, however, a statutory defense available to companies who can show that a violation occurred despite the exercise of reasonable care to protect social security number information.
Accordingly, companies are well advised to:
- review all contracts, business forms, internal company forms, and mailers used in their businesses to determine whether they are requesting and/or disclosing social security numbers, and then determine whether the request and/or disclosure is necessary to accomplish a legitimate business objective
- separate employee social security numbers from the rest of the personnel files, and then place the information under lock and key
- institute a written policy indicating which employees/individuals are authorized to access social security numbers, the extent of their authority to access and/or disseminate such information, and what the reporting procedures are for individuals to advise management of any unauthorized access
- maintain a log or record of when an individual accesses a person's social security number
In addition, companies should read the new legislation in tandem with existing New York laws governing confidential information. For example, NY Gen. Bus. § 399-h requires each New York employer to institute procedures, consistent with commonly accepted industry practices, to ensure that no unauthorized persons have access to an employee's personal information (such as social security numbers) when such information is disposed of or destroyed. Thus, at a minimum, companies should shred any information or paper documents containing social security numbers once they decide to dispose of the information. Also, NY Gen. Bus. § 899-aa obligates an employer to notify individuals who have had their confidential information compromised. Therefore, if a company's safeguards to protect an individual's social security number are breached, it should notify the individual immediately.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
