New York employers may soon find themselves subject to harsh penalties if they use their employees’ Social Security numbers, or even part of these numbers, as employee identification numbers or for other record keeping purposes.
New York employers may soon find themselves subject to harsh penalties if they use their employees’ Social Security numbers, or even part of these numbers, as employee identification numbers or for other record keeping purposes. Under a law that takes effect January 1, 2008, employers will be prohibited from publishing Social Security numbers and will be required to take steps to ensure the confidentiality of such numbers. Thus, employers who use employee Social Security numbers in their entirety or any part of a Social Security number as an employee identification number (such as on timesheets or ID security badges), or require employees to list the last four digits of such numbers for recordkeeping purposes or require employees to print Social Security numbers on employee identification tags, will be affected by this new law and should take steps now to change their record keeping requirements.
The “NY Social Security Number Protection Law” covers any person, firm, partnership, association or corporation (other than the state or its political subdivisions). Covered entities are prohibited from:
(1) Publishing or making an individual’s Social Security number available to the general public;
(2) Printing an individual’s Social Security number on any card or tag required for the individual to access products, services or benefits provided by the person or company;
(3) Requiring an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the Social Security Number is encrypted;
(4) Requiring an individual to use his or her Social Security number to access an Internet web site unless a password or unique personal identification number is also required to access the site; and
(5) Printing an individual’s Social Security number on any materials mailed to the individual unless state or federal law requires the number to be on the document mailed.
Additionally, the law requires covered entities to take measures to ensure the confidentiality of Social Security numbers in their possession and to ensure that only those with a legitimate business reason have access to the number. Under the law, the term Social Security Number includes the number issued by the federal Social Security Administration and “any number derived from such number.” This term does not include a number that has been encrypted.
The first violation of the law may result in a civil penalty of no more than $1,000 for a single violation and $100,000 for multiple violations. Any subsequent violations may result in a civil penalty of not more than $5,000 for a single violation and $250,000 for multiple violations resulting from a single act or incident. An employer may be able to avoid the imposition of a penalty if it can show that a violation was unintentional and occurred even though the employer maintains procedures reasonably adopted to avoid such errors.
A number of other states have enacted similar laws in an effort to reduce incidents of identity theft. If you have any questions regarding this law please contact the Ford & Harrison attorney with whom you usually work or Kenneth Stein, firstname.lastname@example.org, 212-453-5901 or Elana Gilaad, email@example.com, 212-453-5922, attorneys in our New York office.