New York has joined New Jersey and Connecticut in enacting legislation regarding the manner in which employers record and display information about their employees. The law, which was passed in September 2006, took effect January 1, 2008, and failure to comply may lead to harsh penalties. The law applies to all nongovernmental bodies, including individuals, corporations, and partnerships. The legislation restricts the use and communication of Social Security numbers, or any number derived from an individual’s Social Security number, in order to maintain their confidentiality and make it more difficult for criminals to acquire the nine-digit number that uniquely identifies almost all U.S. citizens. Accordingly, the law will affect those businesses that currently use only the last four digits of a Social Security number.
Generally, the statute regulates two activities: (1) the communication of Social Security numbers; and (2) the maintenance of records containing Social Security numbers. In order to minimize the danger of interception of this sensitive information, the law regulates five areas of communication:
(i) It is impermissible to communicate an individual’s Social Security number, or partial number, to the public;
(ii) It is impermissible to make the access of services, benefits or products contingent on the use of access cards or tags containing all or part of an individual’s Social Security number, including health care access cards and building passes;
(iii) It is impermissible to require an individual to transmit all or part of his/her Social Security number over the internet unless it is a secure encrypted connection;
(iv) It is impermissible to require the use of all or part of an individual’s Social Security number for authentication purposes for internet access or access to a web site; and,
(v) It is generally impermissible to include all or part of an individual’s Social Security number on correspondence sent through the mail, unless it falls within the enumerated exceptions, including administrative documents sent in connection with employee benefits plans. In the event that a communication falls within the exceptions, it must be sent through the mail in an envelope through which the number cannot be viewed. Postcards containing all or part of an individual’s Social Security number are prohibited.
The New York Social Security Number Protection Law requires companies to adopt “reasonable measures” to limit access to Social Security numbers in their possession. Companies must store Social Security numbers in a manner designed to preclude unauthorized access and to ensure confidentiality.
The consequences of violating the law are significant. First-time violators face a penalty of $1,000 per violation, up to a maximum of $100,000 for multiple violations resulting from a single incident, such as when a hacker gains access to multiple Social Security numbers at once. Second-time violators face penalties of $5,000 per violation, with a maximum of $250,000 for multiple violations resulting from a single incident. Imposition of these penalties can occur even if the individual whose Social Security number was compromised did not suffer personal harm.