New York has become the latest state to join the growing trend of states passing laws aimed at protecting personal information. With the passage of Senate Bill 8376 (“SB 8376”), New York has opted to push for broader protections for employees by requiring employers to take affirmative steps to safeguard a broad range of personal identifying information including Social Security numbers.
Restricted Activities relating to Employee Personal Identifying Information
Beginning on January 3, 2009, SB 8376 will amend Section 203-d of the New York Labor Laws to require employers to prevent unlawful disclosures of employee “personal identifying information.” The personal identifying information may not be posted, displayed, or otherwise communicated to the general public.
The definition of employee personal identifying information under New York law includes but is not limited to the following:
New York’s statute takes a markedly inclusive approach to employee privacy protection by covering a broad class of personal identifying information, where many comparable state statutes only restrict the use and disclosure of employees’ SSNs.
Employers face penalties of $500 for “knowing violations” of the new law. It remains unclear whether this penalty would be applied per violation, or per violating event. Notably, a “knowing” violation occurs when an employer fails to implement policies or procedures to safeguard against violations, including procedures to notify employees of these provisions. This places the burden of compliance, for the purposes of enforcing the statute, on the employer.
Restrictions Relating to Social Security Numbers
In addition to limiting the public disclosure of employee personal identifying information, the New York statute further limits what an employer may do with Social Security numbers. Employers are prohibited from printing SSNs on employee identification materials, placing them in files with unrestricted access, or using them as identification numbers for occupational licensing purposes.
SB 8376 also amends Section 399-dd of the New York General Business Laws, which prevents public communication or dissemination of individual Social Security numbers, including those of customers or employees. As amended, this section now restricts the practice of encoding or embedding individual SSNs into documents or cards in lieu of removing them outright as required by earlier provisions of Section 399-dd. In addition, Section 399-dd now prohibits filing a document that will be available for public inspection which contains an individual SSN absent that individual’s consent, a court order, or a contrary federal or state law.
At least thirty states have adopted laws restricting the collection, use, or disclosure of personal identifying information, most often SSNs.,  New York’s SB 8376 may be part of the trend to require protection of a broader range of personal information and more specific affirmative steps by employers to prevent unauthorized use or dissemination of personal identifying information. Connecticut, Massachusetts, Michigan, Nevada, New Mexico, and Texas have each passed laws that either protect a broader set of personal information or require specific steps to protect personal information.
Michigan’s Social Security Number Privacy Act, which became effective in March 2005, was the first statute in the nation requiring employers to adopt a policy to protect the confidentiality of employee SSNs. The statute lays out five requirements for such a policy, namely that it: (1) maintain SSN confidentiality; (2) prevent the unlawful disclosure of SSNs; (3) limit access to records containing SSNs; (4) establish a document destruction protocol; and (5) impose penalties upon individuals who violate the statute. This basic framework has been since been replicated across other states.
Connecticut’s Act on the Confidentiality of Social Security Numbers, which took effect in October 2008, requires any employer that does business in Connecticut to adopt measures to safeguard SSNs and other personal information in its possession or control. As in Michigan, employers that collect SSNs in the course of business must both develop and publish or publicly display a privacy protection policy that limits access to, and prevents unlawful disclosure of, SSNs. Similarly, personal information contained in any records must be destroyed, erased, or rendered unreadable prior to the records’ disposal. The Connecticut statute gives a more expansive definition of personal information, including any “information capable of being associated with a particular individual through one or more identifiers.” Like New York’s law, it penalizes employers who intentionally do not comply with the statute’s terms.
Beginning in January 2009, companies that own, license, store, or maintain personal information concerning Massachusetts residents will be subject to new regulations to prevent its unauthorized access or disclosure. Again, the provisions define personal information to include not just SSN but also: state identification and driver’s license numbers; credit card, debit card, and financial account numbers; and related security codes, access codes and passwords. These regulations impose perhaps the most stringent parameters on employer data protection programs thus far; the most notable of which mandates a written data security program, requiring that all service providers certify compliance with the regulations, collection and use limitations and the encryption of all personal information about any Massachusetts resident stored on any portable electronic device.
Other states have elected to implement more “public” requirements. One such example is New Mexico, which has focused on preventing the unlawful disclosure of customer SSNs by companies, rather than protecting personal information of employees. Like Michigan’s, though, New Mexico’s statute calls on employers to implement an internal policy that will “hold employees responsible” for the unauthorized release of customer SSNs.
Based on the recent legislative activity in this area, employers can expect future state laws to expand the scope of protection across a broader range of personal information. In addition, states will likely continue to rely on internal policing of the collection, retention, and disposal of personal information by employers, while directing enforcement measures toward non-compliance with statutory requirements at the company level, such as the failure to implement appropriate safeguards, rather than at individual acts of improper disclosure.
Employers with employees in New York should review their current practices with regard to personal identifying information and assess their compliance with the new rules concerning its collection, retention, and dissemination under Labor Law Section 203-d. At a minimum, employers must now develop a policy explaining that employees should not publicly disclose personally identifying information about another employee to the general public. This policy should be promulgated in an employee handbook or confidentiality agreement. In addition, an employer with New York employees would be well served by adopting the following related practices: