Alert February 19, 2009

New York Legislation Places Further Restrictions on Use of Social Security Numbers by Employers

Beginning As of January 3, 2009, New York state further restricted the ability of New York employers to use Social Security numbers (SSNs) of their employees. The new measure adds to a growing body of state laws that place limitations on how and when social security numbers can be used, and expands the New York requirements concerning business use of SSNs.

New Restrictions

The legislation prohibits employers, except as required by federal or state law, from (i) publicly posting or displaying an employee’s social security number; (ii) visibly printing a social security number on any identification badge or card, including a time card; (iii) placing a social security number in files with unrestricted access; or (iv) communicating an employee’s personal identifying information to the general public. (N.Y. Lab. Law § 203-d).  As a result of the new law, businesses must now verify that employee SSNs are being stored in a secure manner so as to prevent unauthorized access. “Personal identifying information” includes not only SSNs, but also home addresses, telephone numbers, personal email addresses, internet identification names or passwords, a parent’s maiden name and drivers license numbers. The new measure also amends the existing law by including an additional prohibition on the use of SSNs under the General Business Law. The law now also prohibits businesses from encoding (rather than removing) a social security number, and any number derived from it, on a card or document either physically or digitally, by using a bar code, chip, magnetic strip or other technologies. (N.Y. Gen Bus. Law § 399-dd(f)). The new provisions also bar any SSNs from documents filed with the state, including any agency thereof, and with the courts.

The amendment also includes punitive measures and subjects employers to civil penalties of up to $500 per violation for any “knowing” violation of these provisions.  A violation is presumed “knowing” if the employer “has not put in place any policies or procedures to safeguard against such a violation, including procedures to notify relevant employees of these provisions.” (N.Y. Lab. Law § 203-d).

Existing Law

The law adds to existing limitations on the ability of companies to use SSNs, and any number derived from it (e.g. last four digits), that are already in place under New York Law. The New York Social Security Number Protection Law restricts companies from (i) intentionally communicating a social security number to the general public; (ii) printing a social security number on any card or tag required for the individual to access products, services or benefits provided by the business; (iii) requiring an individual to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted; (iv) requiring an individual to use his or her social security number to access an Internet website, unless a password or unique personal ID number or authentication device is also required.; and (v) printing a social security number on any document that is mailed, other than in limited exceptions or unless otherwise required by law. (N.Y. Gen. Bus. Law § 399-dd).

Other Proposals

Public interest in limiting the use of SSNs was furthered on January 6, 2009 when Senator Dianne Feinstein (D-CA) introduced The Protecting the Privacy of Social Security Numbers Act (S.141). S.141 was co-sponsored by Senators Gregg (R-NH) and Snowe (R-ME) and would “prohibit federal, state and local governments from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks; prevent inmates from employment that would give them access to Social Security numbers of other individuals; and, provide limits on when businesses can ask customers for their Social Security numbers.”