Privacy/Employment Advisory: New York Legislation Targets Identity Theft

7/24/2008

Identity theft is a growing scourge affecting an estimated 10 million Americans annually. Personal information that facilitates identity theft is highly accessible in the workplace, and companies failing to secure this information continue to put themselves and their employees at risk. In response, New York increased its protection of employee personal information through its recent passage of the Social Security Number Protection Law (“SSNL”), which penalizes employers for failing to manage their documentation and use of employee Social Security numbers adequately.

The SSNL requires employers to take (1) precautionary measures when displaying, disseminating, or using employee Social Security numbers, and (2) protective measures in the management of those Social Security numbers. Specifically, the SSNL prohibits employers from:

communicating or making an individual’s Social Security number available to the general public;
printing an individual’s Social Security number on any card or tag required by the individual to access products, services or benefits provided by the employer;
requiring an individual to transmit his or her Social Security number over the internet unless over a secure transmission or encrypted connection; and
printing an individual’s Social Security number on any materials that will be mailed to the individual unless required by law.

Despite these restrictions, employers may collect, use, or release employee Social Security numbers where required by law, for internal investigative purposes, for administrative purposes, and for any business function allowed under regulations concerning consumer financial information. Employers may also include Social Security numbers inside mailed documents sent as part of an application or enrollment process, or that establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the Social Security number.

The SSNL also requires employers (1) to take reasonable steps to ensure that only specially designated employees have access to Social Security numbers for legitimate business-related purposes, and (2) to institute safeguards that will prevent unauthorized access to Social Security numbers and protect the confidentiality of those numbers.

The failure of employers to meet the SSNL’s requirements is no longer punishable simply by harm to the company’s reputation though negative media reports; rather, it is backed by steep civil penalties. First-time violators face a penalty of $1,000 per violation, up to a maximum of $100,000 for multiple violations resulting from a single incident, such as when a hacker gains access to multiple Social Security numbers at once. Second-time violators face penalties of $5,000 per violation, with a maximum of $250,000 for multiple violations resulting from a single incident. Imposition of these penalties can occur even if the individual whose Social Security number was compromised did not suffer personal harm. New York legislators also continue to introduce new legislation aimed at strengthening protection of employee personal information beyond the protections afforded by the SSNL. In light of these developments, employers should undertake to ensure that they are complying with the SSNL by instituting reasonable precautionary measures to protect Social Security numbers including:

instituting a written privacy policy;
regulating disposal procedures for documents containing personal information;
limiting access to employee personal information;
performing background checks on employees who have access to personal information;
training employees with access to personal information;
encouraging employees to report breaches;
avoiding the use and dissemination of Social Security numbers except where necessary; and
preventing former employees from accessing company information.

In addition to the New York law, many other states have similar laws governing use and dissemination of Social Security numbers.

View a complete list and comparison chart of these laws.

Employers are well advised to seek the advice of counsel to help comply with New York’s Social Security Number Protection Law, other state laws governing the use of Social Security numbers, and other privacy laws governing your company. If you have any questions regarding the subject covered in this Alert, or any related issue, please feel free to contact an attorney listed below or any of Mintz Levin’s Labor, Employment and Benefits or Privacy and Security practice attorneys.