Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession. Now, New York is going one step further with its passage of two new Social Security Number Protection laws.
First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.
The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers. This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer. This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number. It is unclear whether this law will prove effective in accomplishing its objectives.
First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections. Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure. And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.
Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations. Further, there is no private right of action, and only the Attorney General can enforce the law.
Governor Cuomo signed the acts into law on August 14, 2012. The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012. Now if he would only sign the recently passed wage deduction law.