Reports of identity theft — one of the nation's fastest growing financial crimes — continue to make headline news. Articles like "Worker Charged in Hospital File Thefts"1 and "Employment Records Prove Ripe Source for Identity Theft,"2 and "Liability for Employee Identity Theft is Growing,"3 reflect that employers are not immune from exposure to this crime. In fact, one of the primary sources of identity fraud is theft of employer records, according to a 2002 report by credit information provider TransUnion. Additionally, according to the Federal Trade Commission (FTC), approximately 90% of business-record identity thefts involve stealing payroll or employment records. The remaining 10% of such thefts involve customer lists. The consequences are significant: Nearly 10 million Americans were victims of identity theft in 2008, up 22% from 2007, according to one study.4
While it is uncertain whether the economic downturn is to blame for any increase in identity theft, it is certain that New York employers now can be held liable if they fail to protect their employees from identity theft.
Adopting Labor Law Section 203-d, New York Joins Growing Trend
Recognizing the dangers of identity theft in the workplace, New York has joined a growing number of states that have enacted laws intended to protect employees from identity theft.5 Specifically, New York recently amended its Labor Law, adding section 203-d6 to prohibit all employers, regardless of size, from:
- publicly posting or displaying an employee's Social Security number;7
- visibly printing an employee's Social Security number on any identification badge or card, including any time card;
- placing a Social Security number in files with unrestricted access; or
- communicating to the general public employees' personal identifying information including: Social Security numbers, home addresses or telephone numbers, personal electronic mail addresses, Internet identification names or passwords, parent's surname before marriage, or drivers' license numbers.
The law also prohibits employers from using a Social Security number as an identification number for purposes of any occupational licensing.
Section 203-d requires employers to take "reasonable measures" to ensure that the personal identifying information is not disseminated. To that end, employers must implement mechanisms both to safeguard against certain uses of employees' personal identifying information and to inform employees of their rights under this new law.
The law imposes a civil penalty of up to $500 on any employer for a "knowing violation" of this statute. A violation is "knowing" if an employer has not implemented any policies or procedures to safeguard against such violation, including procedures to notify employees of the law.
Labor Law section 203-d is silent as to what constitutes a single "violation." Consequently, it remains unclear whether an employer's publication of a single list containing the personal identifying information of several employees would amount to single or multiple violations.
The Labor Law amendment also is silent as to whether there is a private right of action and whether employers are restricted from using the last four digits of an employee's Social Security number or any number derived from the full Social Security number for identification purposes, seniority lists or for any other reason. The Labor Law amendment does not define "Social Security number," unlike New York's Public Officers' Law and General Business Law which defines "Social Security Account Number" to include "the nine digit account number issued by the federal social security administration and any number derived therefrom."8 (emphasis added).
The New York State Department of Labor, charged with interpreting and enforcing the Labor Law, has not issued any regulations that would provide guidance regarding these issues.
Recommendations for Employers
To be sure, there is some ambiguity in the Labor Law amendment and uncertainty as to how it will be interpreted and enforced by the New York State Department of Labor. Nonetheless, employers should prepare their workplaces to ensure compliance with Labor Law section 203-d and to minimize potential exposure to liability by doing, at a minimum, the following:
- Implement and distribute a written privacy protection policy that informs employees of the Labor Law's requirements and the company's procedures for safeguarding personal identifying information.
- Evaluate how employees' Social Security numbers are used in your business. Remove Social Security numbers from public postings and employer-provided badges and cards. Consider creating an employee identification number system in lieu of using Social Security numbers for identification purposes.
- Implement controls to restrict access to Social Security numbers and other personal identifying information only to those with a "need-to-know."
- Centralize responsibility for disclosing Social Security numbers and other personal identifying information to one person or one office to reduce the risk of unauthorized or accidental disclosure.
- Develop a vendor management policy to ensure that vendors are contractually obligated to safeguard Social Security numbers and other personal identifying information.
- Train employees, including information technology personnel, on the necessity of safeguarding employee and customer personal identifying information and on how to safeguard such information in accordance with the company's policies and procedures.
- Develop uniform standards throughout the company for managing the threat of identity theft to customers, employees and the business itself, and develop an action plan for responding to an identity theft situation.
- Conduct a privacy self-audit to review whether all of the information collected on employees and customers is essential, where it is maintained, who has access to it, and how it is handled.
1 John Eligon, N.Y. Times, Apr. 13, 2008.
2 Stephanie Armour, USA Today, Jan. 23, 2003, by Stephanie Armour.
3 Diane Cadrain, HR Magazine, June 2005.
4 Identity Theft Hits Record 10M Americans, CNNMoney.com, Feb. 9, 2009.
5 More than two dozen states have enacted legislation restricting, among other things, employers' use of employee Social Security numbers: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Illinois, Kansas, Maryland, Michigan, Minnesota, Missouri, Nebraska, New Jersey, New Mexico, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont and Virginia. California also prohibits employers from including more than the last four digits of an employee's Social Security number on his or her pay statement, and Maryland prohibits employers from printing an employee's Social Security number on a paycheck, notice of direct deposit, or notice of credit to an employee's debit card account.
6 N.Y. Lab. Law § 203-d (eff. Jan. 3, 2009). The Labor Law amendment was part of Bill No. S8376A, which adopted several laws relating to identity theft, including amendments to New York's Executive Law, General Business Law, Public Officers Law, Penal Law, and Criminal Procedure Law. New York prohibits businesses from internally communicating or making available to the general public an individual's Social Security number. General Business Law § 399-dd.
7 Social Security numbers are widely used personal identifiers, and as a consequence, they are one of the primary tools used to commit identity theft. Identity thieves use a victim's Social Security number as a key to access the victim's financial benefits.
8 See N.Y. Public Off. Law § 96-a(2) and N.Y. Gen. Bus. Law § 399-dd.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.