LEGAL UPDATE
New York Employers Face Penalties if They Fail to Secure Employee Social Security Numbers
Earlier this year, New York joined the growing list of states to adopt legislation that instructs employers and businesses alike to limit their collection and use of employee or customer Social Security numbers in order to keep this information from being carelessly or intentionally accessed for unlawful purposes.
The new law, like others passed in recent years, is largely in response to the burgeoning problem of identity theft. Although only recognized as a crime since 1998, its incident rate has soared. The Federal Trade Commission (FTC), which began tracking the incidence of identity theft in 1999, reported in its most recent survey that 3.7% of those surveyed were victims of identity theft in 2005, which was equal to 8.3 million U.S. victims.
The New York law, called the Social Security Number Protection Law, specifies what an employer or business can or cannot do with an employee's or customer's Social Security number and includes monetary penalties for those who violate the section. The law prohibits employers from doing the following:
- Intentionally communicating an employee's Social Security number to "the general public or otherwise make [it] available to the general public."
- Printing an employee's Social Security number on any card or tag required to access services or benefits provided by the employer.
- Requiring an employee to transmit his or her Social Security number over the internet unless "the connection is secure or the social security account number is encrypted."
- Requiring an employee to use his or her Social Security number to access an internet website unless "a password or unique personal identification number or other authentication device is also required to access the internet website."
- Printing an employee's Social Security number on any materials to be mailed unless state or federal law requires that this information be on the document.
Although the law provides that employers must take "reasonable measures" to ensure that access to employee Social Security number information only occurs for "legitimate or necessary purpose[s]," it does not describe what those "reasonable measures" consist of. The following is a list of safeguards employers should take under the guise of "reasonable measures":
- Have a written privacy policy (that includes disposal procedures that are consistent with accepted industry practice and satisfy legal requirements).
- Lock up and limit access to employee personal information.
- Limit retention of personal information to only that which is essential.
- Train employees on privacy and document disposal policies.
- Encourage employees to report any possible security breaches.
- Avoid using or disclosing an employee's Social Security number for any purpose other than that required by law or legitimate and necessary business purpose.
- Take proper security precautions when terminating employees who have access to personal information.
Due to the sensitive nature of the information that InfoMart handles on a daily basis, we take security very seriously and implement best practices into every aspect of our work and company culture. We exhibit the highest degree of care when it comes to handling Social Security numbers. With our status as a VeriSign verified business entity, you can be sure that InfoMart's profiles are protected and secure. All electronic data is protected using VeriSign's 128-bit encryption technology, and we employ the latest firewall and router technology to protect against unauthorized access. Our internal system is also equipped to print profiles without visible Social Security numbers.
If you have any questions about InfoMart's data privacy or security policies, please contact your Customer Service Representative or call 770-984-2727 option 2."
(Source: http://www.seyfarth.com)
| 
