A new law going into effect in New York on January 1, 2008 regulates the way that employers record and display information about their employees. The Social Security Number Protection Law imposes civil liability upon all people and nongovernment entities, including nongovernment employers, who fail to adequately restrict access to their employees’ Social Security numbers.
New York joins a growing number of states, including California, New Jersey and Connecticut, that have enacted such legislation. However, New York’s law is notable for the breadth of its scope: while many states restrict the use of Social Security numbers in their entirety, and others, such as New Jersey, restrict the use of “any four or more consecutive numbers” of a person’s Social Security number, New York’s law goes one step further to restrict use of “any number derived from [a person’s Social Security] number.” The restrictions listed below, then, apply not only to a person’s Social Security number itself, but to any number derived from it (collectively, “SSN”). However, the use of encrypted numbers is permitted.
The Social Security Number Protection Law prohibits the following: Intentionally communicating a person’s SSN to the general public;
- Displaying a person’s SSN on an employee ID card or tag;
- Requiring an employee to transmit an SSN over the Internet via an unencrypted connection.
- However, an employer may ask for an employee’s SSN on a secure connection accompanied by an additional password or authentication tool;
- Sending a person’s SSN to that person through the mail, unless required to do so by law. Additionally, the law affords an exception for administrative documents, including enrollment, amendment or termination papers regarding employee benefi ts plans. Any SSN sent through the mail under one of these exceptions must be in an envelope, and not printed on a postcard or other enclosure that makes the number visible to someone other than the recipient of the mail.
The law also places a duty upon employers to take steps to limit unauthorized access to SSNs within their organization. While the law allows employers to maintain their employees’ numbers on fi le for administrative reasons, it calls upon employers to take “reasonable measures” to ensure the confi dentiality of those numbers.
Any employer who is found by the attorney general to be in violation of one of the above terms may be subject to signifi cant civil penalties. If the violation involves only one person’s SSN, the maximum penalty is $1,000; however, if the incident involves disclosure of multiple SSNs, the employer may incur a maximum penalty of $100,000. A second violation within an organization increases potential penalties to $5,000 and $250,000, respectively.
However, the statute makes an allowance for those employers who, in good faith, implement policies and procedures to guarantee compliance with the law. No civil penalties will be levied against an employer who “shows, by a preponderance of the evidence, that the violation was not intentional and resulted from a bona fi de error made notwithstanding the maintenance of procedures reasonably adopted to avoid such error.” Accordingly, employers who adjust their practices to ensure compliance with the law may decrease their potential exposure to liability in the event that a violation beyond their control occurs.
In an effort to combat the growing frequency of incidents of identity theft, Governor George Pataki signed the Social Security Number Protection Law in 2006. Because of anticipated compliance issues, businesses affected by the new law were given until January 1, 2008, to comply with its mandates, but that deadline is fast approaching. Employers should take steps immediately to guarantee that they are in compliance with the law by the end of 2007.