CLIENT UPDATE

Putney, Twombly, Hall & Hirson LLP
521 Fifth Avenue
New York, NY 10175
Tel: (212) 682-0020

 

March 4, 2009

New York Law In Effect To Protect Employees From Identity Theft

New York State recently became the latest to join the trend of states adopting laws to protect personal information and to combat the issue of identity theft in the workplace. Effective January 3, 2009, New York Labor Law was amended to add Section 203-d, which substantially restricts employers’ use and dissemination of employee Social Security Numbers (“SSNs”) and other personal identifying information. Under this law, employers must take immediate action to safeguard against the disclosure of employee SSNs.

Specifically, Section 203-d prohibits employers from:

  • Publicly posting or displaying an employee’s SSN;
  • Visibly printing an employee’s SSN on any identification badge or card, including timecard;
  • Placing an employee’s SSN in files to which there is unrestricted access; or
  • Using an employee’s SSN as an identification number for the purposes of any occupational licensing.

Additionally, an employer is prohibited from communicating an employee’s personal identifying information to the general public. “Personal identifying information” includes but is not limited to: SSN; home address or telephone number; internet user ID or password; driver’s license number; or parents’ surnames prior to marriage.

Employers face civil penalties of up to $500 for “knowing violations” of the new law. A “knowing” violation occurs when an employer has failed to implement policies or procedures to safeguard against violations, including procedures to notify employees of these provisions. However, because the law does not define what constitutes a single “violation,” it remains unclear whether an employer’s publication of a single list containing the personal identifying information of several employees would amount to single or multiple violations.

The law is also silent as to whether Section 203-d establishes a private right of action for employees whose personal identifying information has been disseminated by an employer. Moreover, the law does not define “Social Security Number,” leaving open the question of whether employers are restricted from using a number derived from the full SSN, such as the last four digits, for identification purposes or for any other reason. The New York State Department of Labor has not yet issued any regulations to provide guidance regarding these issues.

Labor Law Section 203-d supplements protections in place under New York’s Social Security Number Protection Law (“SSN Protection Law”), which was enacted in January 2008 and amended effective January 3, 2009. As you may recall from our Client Alert in February 2008, the New York General Business Law was amended to prohibit the communication or dissemination of individual SSNs to the general public, including those of customers or employees. The SSN Protection Law allowed employers to use SSNs in certain circumstances, provided the SSNs were encoded or embedded in code in documents or cards. The Senate bill enacting Labor Law Section 203-d amended the SSN Protection Law to require the removal of even embedded or encoded SSNs. The law also supplements the protections offered by the “Disposal of Personal Information Law” which was enacted in 2006 and generally restricts inadvertent disclosure of SSN when documents are discarded. For more information on the Disposal of Personal Information Law and the Social Security Number Protection Law, please see our February 28, 2008 Client Alert available on our website, www.putneylaw.com/clients_updates.html.

Recommendations for Employers

Despite the few remaining ambiguities in Section 203-d, employers should take steps now to ensure compliance and to minimize potential exposure to liability, including the following:

  • Implement and distribute a written policy incorporating the new privacy protection requirements.
  • Advise employees, especially those with access to “personal identifying information,” that they are forbidden from communicating that information to the public.
  • Limit access to “personal identifying information” to those employees whose jobs require access to that information.
  • Develop uniform standards for managing the threat of identity theft and develop a plan for responding to an identity theft situation.
  • Ensure that in disposing of personnel files and other documents that personal identifying information is not disclosed.

We are available to assist you in preparing a written privacy protection policy in compliance with Labor Law Section 203-d. If you should have any questions regarding the requirements of the new law, please contact us.