Putney, Twombly, Hall & Hirson LLP
521 Fifth Avenue
New York, NY 10175
Tel: (212) 682-0020


February 28, 2008

Social Security Number Protection Law

New York law now forbids employers from publishing employees' social security numbers in their possession and requires employers to take affirmative steps to help preserve confidentiality.The "Social Security Number Protection Law" (General Business Law ¤399-dd) prohibits the following:

  • Intentionally communicating or otherwise making available a person's social security number to the general public.
  • Displaying a person's social security number on an employee ID card or tag required for the individual to access products, services or benefits provided by the person, firm, partnership, association or corporation.
  • Requiring an employee to transmit his or her social security number over the Internet, unless the connection is secure or the social security number is encrypted.
  • Requiring an employee to use his or her social security number to access an internet web site, unless a password or unique personal identification number or other authentication device is also required to access the internet website.
  • Sending a person's social security number to that person through the mail, unless required to do so by law.

The law also requires that employers take affirmative, reasonable measures to ensure that "no officer or employee has access to such number for any purpose other than for a legitimate or necessary purpose related to the conduct of such business or trade and provide safeguards necessary or appropriate to preclude unauthorized access to the social security account number and to protect the confidentiality of such number." This requirement includes the need for any employer to protect against inadvertent disclosure whenever employees' social security numbers are transmitted by mail or electronic means. Finally, employers are required to take "reasonable measures" to ensure the confidentiality of the numbers.

The "Disposal of Personal Records Law," enacted on December 6, 2006, also protects personal and confidential information by mandating certain procedures before disposal of records.The law applies to "any natural person, or agent or employee of such person that is conducting a business for profit." (Emphasis added.) The statute requires that businesses properly dispose of records that contain "personal identifying information," including social security numbers.Under the law, a business must do one of the following before disposing of a record containing personal identifying information: shred the document, destroy the personal identifying information, modify the record to make the information unreadable, or take action consistent with commonly accepted industry practices to safeguard personal information.