On July 9, 2008, New York Governor David Paterson signed Bill No. A11752 / S8376A, protecting consumers and employees against identity theft.1 An earlier Seyfarth One Minute Memo (available here) discussed changes to N.Y. Gen. Bus. Law § 399-dd, which regulates any business use or communication of an individual’s Social Security number to an external party. The new measure, which becomes effective in January 2009, amends New York State Labor Law § 203-D and regulates employers’ internal use of personal identifying information, including Social Security numbers.
The new provision restricts employers’ ability to use or communicate employees’ personal identifying information, a broadly defined term including an employee’s “Social Security number, home address or telephone number, personal electronic mail address, internet identification name [i.e., user ID] or password, parent’s surname prior to marriage, or drivers’ license number.” Specifically, employers cannot, unless otherwise required by law:
- publicly post or display an employee’s personal identifying information;
- visibly print any personal identifying information on any employee identification badge or card, including any time card;
- place personal identifying information in any file with unrestricted access; or
- otherwise communicate an employee’s personal identifying information to the general public.
In addition, Social Security numbers may not be used as identification numbers for purposes of any occupational licensing.
The amendment also includes punitive measures and subjects employers to civil penalties of up to $500 per violation for any “knowing” violation of these provisions. Importantly, a violation is presumptively considered “knowing” if the employer “has not put in place any policies or procedures to safeguard against such violation, including procedures to notify relevant employees of these provisions.”
This new amendment is part of an increasing commitment by legislatures around the country to protect employees against the overuse of their personal information, particularly Social Security numbers. The new amendment presumes that an employer’s failure to safeguard its workforce’s personal identifying information is the equivalent of a knowing public disclosure, even if the information was inadvertently released or stolen.
Employers are well-advised to review their use of full or partial Social Security numbers and all other personal identifying information for any internal purpose, and any doubts should be resolved in favor of greater protection of such information. Further, privacy policies must be clearly communicated to the managers and employees responsible for enforcing these policies, including, at a minimum, all human resources, recruiting, benefits, and information technology personnel who may collect or have access to employees’ personal identifying information.