On August 14, 2012, the State of New York amended its Social Security Number Protection Law to further protect individuals' social security numbers from unauthorized disclosure. The Social Security Number Protection Law1 was enacted in 2008 to protect individuals from identity theft. Under the law, a "social security account number" is defined as the number issued by the federal social security administration, and any number derived therefrom, such as the last four digits.2 Notably, if a social security number is collected, kept in electronic form and properly encrypted, then it is not a "social security account number" within the meaning of the legislation, and the law is not applicable.3 A goal of the law is to drive the adoption of good information security practices.
The law protects individuals' social security account numbers by prohibiting others, including employers, from disclosing an individual's unencrypted social security number to the general public; printing the social security number on any card or tag required for the individual to access products, services or benefits; requiring an individual to transmit their social security account number over the internet; or printing a social security number on materials that are mailed to the individual, unless required to do so by law.4 In addition, where any party maintains the social security number of an individual, that party must implement safeguards to prevent unauthorized access to such information, and must take steps to preserve the confidentiality of the social security account number.5 There is no liability, however, for companies or individuals that disclose another individual's social security number if they show that the violation was unintentional and resulted from a "bona fide error made notwithstanding the maintenance of procedures reasonably adopted to avoid such error."6 There is no private cause of action under this law, and only the state Attorney General can enforce its provisions.7 This last point is an important issue in the ongoing privacy law discussion in the United States, as many companies have concerns regarding new class action claims which are being crafted.
On August 14, 2012, New York amended the law to include two new provisions. The first set of new provisions will take effect on November 12, 2012, and will prohibit any parties subject to the law from hiring inmates for any job that would provide the inmate with access to social security account numbers of other individuals.8
The second set of provisions, which will have a broader impact, will take effect on December 12, 2012, and will generally prohibit companies and individuals from requiring any other individual to disclose their social security account numbers, unless one of the law's many exceptions apply.9 In addition, companies and individuals may not refuse services, privileges or rights to any individual, because such individual refuses to disclose their social security number.10 There are, however, numerous exceptions to this very broad rule. For example, individuals may be required to disclose their social security number, and the party requesting the information may refuse benefits to such individual based on his or her refusal to provide a social security account number, where: (1) the individual consented to the use of his or her social security account number previously; (2) the social security account number is required by law; (3) the social security account number is requested in connection with a request for a credit, is necessary for a credit transaction, or is in connection with a deposit account or investment, or some other transaction permitted under the Gramm Leach Bliley Act; or (4) the social security account number is requested for purposes of employment, including for administration of a claim, benefit or procedure relating to the individual's employment.11 There are a number of other exceptions, which can be found using the link contained in the endnotes to this posting. The law, again, only applies to unencrypted social security account numbers, as encrypted social security account numbers are not within the meaning of "social security account number," as defined by the law.
Penalties for violation of the law are relatively minimal. The maximum fine for the first violation is limited to $500.12 A company will be fined a maximum of $1,000 for each violation thereafter.13 In addition, as with the original statute, penalties may be avoided where the party collecting the information shows that the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.14
Although there are a significant number of exceptions to the law, the new amendments to the Social Security Number Protection Act do grant more protections to individuals' social security account numbers. These amendments reflect a heightened interest in protecting individuals' personal data and regulating its use, and as such there will likely be further legislation in this area in the future.
Companies should regularly assess their privacy policies and practices; in particular in this case, their human resources data management practices, to ensure that they comply with minimum standards required by state governments. In addition, companies should keep abreast of proposed data privacy regulations and published guidelines to anticipate likely changes in this dynamic area of the law.