New York last week passed new legislation updating its social security number protection law. The amendment will go into effect at the end of the year. It prohibits companies from requiring individuals to share their social security numbers, or from denying services or rights because someone has refused to share their social security numbers. As one might expect, there are many exceptions, including, for example, fraud verification, employment or tax purposes, and banking and credit-related activities. An additional exemption is if the individual consents to having his or her SSN acquired (although "consent" is not defined). Violating the provisions of the amendment will carry penalties of $500 per violation, and there is a private right of action. The law currently prohibits companies from putting social security numbers on ID cards, having people transmit SSNs over unencrypted Internet connections, and putting SSNs on forms sent by mail (except in limited situations like forms sent as part of an enrollment process), among other things. It also requires that reasonable steps be taken to make sure that only those employees who have a legitimate/necessary reason are able to access the SSNs, that the confidentiality of the numbers are maintained, and that steps are taken to stop unauthorized access of the numbers.
TIP: This update is a reminder that companies who collect social security numbers should take care to protect the numbers and restrict access to the numbers. New York is not the only state to require this, others include California, Connecticut, Illinois, Maine, New Jersey, Texas, Virginia, as well as several others. Unlike other similar SSN protection statutes, the NY amendment will now require companies to think about when they should (and may legally) collect SSNs in the first place.