On January 3, 2009, a new law took effect in New York limiting employers’ use of employees’ personal information. Like similar measures in legislatures throughout the country to prevent identity theft, the law is particularly concerned with employers’ transmittal of an employee’s personal information to the general public. Labor Law § 203-d prohibits employers from communicating an employee’s social security number (“SSN”), address, telephone number, personal e-mail address, internet user identification name or password, parent’s surname or driver’s license numbers to the general public. The law also prohibits employers from publicly displaying an employee’s SSN, printing SSNs on identification badges or time cards, or using SSNs to identify employees for licensing purposes. Additionally, employers must keep such information in files with restricted access.
For violations of the new law, the State Labor Commissioner may fine employers up to $500 for each “knowing” violation of the statute. Further, the absence of policies and procedures to safeguard against violations of this law “shall be presumptive evidence” of a knowing violation.
Employers should first review their use of full or partial SSNs and all other personal identifying information and assess compliance with the new law. Next, employers should draft privacy policies focusing on the use of personal information and specifying the individuals with access to such information. This policy should then be communicated to all employees, with special focus on human resources, recruiting, benefits, and information technology personnel who may have access to identifying information.