New York Law Limits Use and Disclosure of Employees' Personal Identifying Information

12/3/2008
Client Alert

New York has become the latest state to join the growing trend of states passing laws aimed at protecting personal information.  With the passage of Senate Bill 8376 (“SB 8376”), New York has opted to push for broader protections for employees by requiring employers to take affirmative steps to safeguard a broad range of personal identifying information including Social Security numbers. 

Restricted Activities relating to Employee Personal Identifying Information

Beginning on January 3, 2009, SB 8376 will amend Section 203-d of the New York Labor Laws to require employers to prevent unlawful disclosures of employee “personal identifying information.”[1]  The personal identifying information may not be posted, displayed, or otherwise communicated to the general public.[2] 

The definition of employee personal identifying information under New York law includes but is not limited to the following:[3]

  • Social Security numbers (“SSNs”)
  • Home address or telephone numbers
  • Personal e-mail addresses
  • Internet user IDs and passwords
  • Driver’s license numbers
  • Parents’ last names prior to marriage

New York’s statute takes a markedly inclusive approach to employee privacy protection by covering a broad class of personal identifying information, where many comparable state statutes only restrict the use and disclosure of employees’ SSNs.[4]

Employers face penalties of $500 for “knowing violations” of the new law.[5]  It remains unclear whether this penalty would be applied per violation, or per violating event.[6]  Notably, a “knowing” violation occurs when an employer fails to implement policies or procedures to safeguard against violations, including procedures to notify employees of these provisions.[7]  This places the burden of compliance, for the purposes of enforcing the statute, on the employer. 

Restrictions Relating to Social Security Numbers

In addition to limiting the public disclosure of employee personal identifying information, the New York statute further limits what an employer may do with Social Security numbers.  Employers are prohibited from printing SSNs on employee identification materials, placing them in files with unrestricted access, or using them as identification numbers for occupational licensing purposes.[8] 

SB 8376 also amends Section 399-dd of the New York General Business Laws, which prevents public communication or dissemination of individual Social Security numbers, including those of customers or employees.  As amended, this section now restricts the practice of encoding or embedding individual SSNs into documents or cards in lieu of removing them outright as required by earlier provisions of Section 399-dd.  In addition, Section 399-dd now prohibits filing a document that will be available for public inspection which contains an individual SSN absent that individual’s consent, a court order, or a contrary federal or state law.  

National Trends

At least thirty states have adopted laws restricting the collection, use, or disclosure of personal identifying information, most often SSNs.[9], [10]  New York’s SB 8376 may be part of the trend to require protection of a broader range of personal information and more specific affirmative steps by employers to prevent unauthorized use or dissemination of personal identifying information.  Connecticut, Massachusetts, Michigan, Nevada, New Mexico, and Texas have each passed laws that either protect a broader set of personal information or require specific steps to protect personal information.

Michigan’s Social Security Number Privacy Act, which became effective in March 2005, was the first statute in the nation requiring employers to adopt a policy to protect the confidentiality of employee SSNs.[11]  The statute lays out five requirements for such a policy, namely that it: (1) maintain SSN confidentiality; (2) prevent the unlawful disclosure of SSNs; (3) limit access to records containing SSNs; (4) establish a document destruction protocol; and (5) impose penalties upon individuals who violate the statute.  This basic framework has been since been replicated across other states.

Connecticuts Act on the Confidentiality of Social Security Numbers, which took effect in October 2008, requires any employer that does business in Connecticut to adopt measures to safeguard SSNs and other personal information in its possession or control.[12] As in Michigan, employers that collect SSNs in the course of business must both develop and publish or publicly display a privacy protection policy that limits access to, and prevents unlawful disclosure of, SSNs.[13]  Similarly, personal information contained in any records must be destroyed, erased, or rendered unreadable prior to the records’ disposal.  The Connecticut statute gives a more expansive definition of personal information, including any “information capable of being associated with a particular individual through one or more identifiers.”[14]  Like New York’s law, it penalizes employers who intentionally do not comply with the statute’s terms. 

Beginning in January 2009, companies that own, license, store, or maintain personal information concerning Massachusetts residents will be subject to new regulations to prevent its unauthorized access or disclosure.[15]  Again, the provisions define personal information to include not just SSN but also: state identification and driver’s license numbers; credit card, debit card, and financial account numbers; and related security codes, access codes and passwords.[16] These regulations impose perhaps the most stringent parameters on employer data protection programs thus far; the most notable of which mandates a written data security program, requiring that all service providers certify compliance with the regulations, collection and use limitations and the encryption of all personal information about any Massachusetts resident stored on any portable electronic device.[17] 

Other states have elected to implement more “public” requirements.  One such example is New Mexico, which has focused on preventing the unlawful disclosure of customer SSNs by companies, rather than protecting personal information of employees.  Like Michigan’s, though, New Mexico’s statute calls on employers to implement an internal policy that will “hold employees responsible” for the unauthorized release of customer SSNs.[18] 

Based on the recent legislative activity in this area, employers can expect future state laws to expand the scope of protection across a broader range of personal information.  In addition, states will likely continue to rely on internal policing of the collection, retention, and disposal of personal information by employers, while directing enforcement measures toward non-compliance with statutory requirements at the company level, such as the failure to implement appropriate safeguards, rather than at individual acts of improper disclosure. 

Practical Implications

Employers with employees in New York should review their current practices with regard to personal identifying information and assess their compliance with the new rules concerning its collection, retention, and dissemination under Labor Law Section 203-d.  At a minimum, employers must now develop a policy explaining that employees should not publicly disclose personally identifying information about another employee to the general public.  This policy should be promulgated in an employee handbook or confidentiality agreement.  In addition, an employer with New York employees would be well served by adopting the following related practices:

  • Expressing in its policies a commitment to safeguard confidentiality of personal identifying information.
  • Identifying in its policies relevant restrictive measures and prohibitions on use and disclosure of personal identifying information.
  • Reviewing existing policies with, and clearly articulating standards to, managers and employees who collect or access personal identifying information, such as human resources, recruiting, benefits, and IT personnel.
  • Limiting internal access to any files or records containing employee SSNs or other sensitive personal identifying information.

Footnotes

[1] N.Y. Lab. Law. § 203-d(1) (effective January 3, 2009),
[2] N.Y. Lab. Law. § 203-d(1)(A), (D).
[3] N.Y. Lab. Law. § 203-d(1)(D).
[4] 2008 Ct. ALS 167; Mich. Comp. Laws Ann. § 445.84; N.M. Stat. Ann. § 57-12B-3.
[5] N.Y. Lab. Law. § 203-d(3).
[6] A comparable state statute that sets civil penalties of $500 imposes the penalty on a per-violation basis, with a limit on the total penalties stemming from a single event.  See 2008 Ct. ALS 167 § 1(e). 
[7] N.Y. Lab. Law. § 203-d(3).
[8] N.Y. Lab. Law. § 203-d(1)(B), (C); (2).
[9] States and territories that have enacted legislation regulating the use of SSNs include Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Idaho, Illinois, Kansas, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Jersey, New Mexico, New York, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, and Puerto Rico.  Although most of these state statutes generally apply to persons doing business in the state, some state laws, such as the Oklahoma and Nebraska law, apply specifically in the employment context.  These state statutes have a range of effective dates.
[10] For further information on state restrictions on the collection, use, and disclosure of Social Security numbers generally, see State Statutes Restricting or Prohibiting the Use of Social Security Numbers, Morrison & Foerster Legal Update (Nov. 8, 2007), available here
[11] Mich. Comp. Laws Ann. § 445.84. 
[12] 2008 Ct. ALS 167.  For more information about Connecticut’s Act, see New Connecticut Privacy Law Imposes Up to $500,000 in Civil Penalties for Misuse of Personal Information, Morrison & Foerster Legal Update (June 19, 2008), available here.
[13] 2008 Ct. ALS 167 § 1(b).
[14] 2008 Ct. ALS 167 § 1(c).
[15] Mass. Gen. Laws ch. 93H § 2; 201 Mass. Code Regs. 17.01-04.  For additional information on the Massachusetts regulations, see New Massachusetts Regulation Requires Encryption of Portable Devices and Comprehensive Data Security Programs, Morrison & Foerster Legal Update (Sept. 23, 2008). 
[16] 201 Mass. Code Regs. 17.02.
[17] 201 Mass. Code Regs. 17.04(5).
[18] N.M. Stat. Ann. § 57-12B-3(D)(2). 

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.