5/13/2008 State of New York Law Enforces the Protection of Social Security Numbers


This just in from FRCA expert Pam Devata and Seyfarth Shaw: New York Employers Face Penalties if The Fail To Secure Employee Social Security Numbers. This law new law affects New York employers who collect Social Security Numbers on their job applicants and employees; in other words, every New York employer. Employers obviously need this information for a variety of reasons including its importance when conducting background checks. This update references a rather shocking stat: “In a 2006 survey conducted by the Identity Theft Resource Center (ITRC), a not-for-profit organization which provides information and support to identity theft victims, 12% of those surveyed reported that their personal information had been stolen at the workplace.”

We took this off the State of New York’s website:

Confidentiality of Social Security Numbers – General Business Law §399-DD

Places limits on the use and dissemination of Social Security Numbers (SSN) beginning January 1, 2008. The law prohibits the intentional communication of an individual’s SSN to the general public; restricts businesses’ ability to print a SSN on mailings or on any card or tag required to access products, services or benefits; prohibits businesses from requiring an individual to transmit his or her unencrypted SSN over the Internet; and requires businesses possessing SSN to implement safeguards and limit unnecessary employee access to the data.

According to Seyfarth Shaw, the New York Social Security New York Protection Law (NY Gen. Bus. § 399-dd) prohibits the following:

  • Intentionally communicating an employee’s social security number to “the general public or otherwise make [it] available to the general public”;
  • Printing an employee’s social security number on any card or tag required to access services or benefits provided by the employer;
  • Requiring an employee to transmit his or her social security number over the Internet unless “the connection is secure or the social security account number is encrypted”;
  • Requiring an employee to use his or her social security number to access an Internet web site unless “a password or unique personal identification number or other authentication device is also required to access the Internet website”;
  • Printing an employee’s social security number on any materials to be mailed unless state or federal law requires that this information be on the document.

Seyfarth offers the following compliance tips:

  • Have a written privacy policy (that includes disposal procedures that are consistent with accepted industry practice and satisfy legal requirements);
  • Lock up and limit access to employee personal information;
  • Conduct background checks on employees who will have access to personal information;
  • Limit retention of personal information to only that which is essential;
  • Train employees on privacy and document disposal policies;
  • Encourage employees to report any possible security breaches;
  • Avoid using or disclosing an employee’s social security number for any purpose other than that required by law or legitimate and necessary business purpose; and
  • Take proper security precautions when terminating employees who have access to personal information (e.g., changing computer access codes).

Read the full article here . . .