Recent changes to the New York privacy laws impose stricter standards on employers in collecting, maintaining, protecting and disseminating certain private personal information of their employees. 

PROTECTION OF PERSONAL INFORMATION

The Employee Personal Identifying Information Law(NY Labor Law § 203-d) (effective January, 3, 2009), prohibits employers from:

• Publicly posting or displaying employees’ Social Security numbers;

• Printing Social Security numbers on employees’ badges or identification cards;

• Disseminating employees’ personal identifying information to the public, including:

• • Social Security numbers

  • Home addresses and telephone numbers

  • E-mail addresses

  • Internet usernames or passwords

  • Parents’ surnames or driver’s license number

• Using employees’ Social Security numbers as identification numbers for occupational licensing purposes

The new statute requires employers to institute policies and procedures to safeguard employees’ private information, and to communicate those policies to their workforces, or risk being fined up to $500.

Any employer who fails to institute policies and procedures or to notify employees of the policies is deemed to knowingly violate the statute.

ADDITIONAL PROTECTION OF EMPLOYEES’ SOCIAL SECURITY NUMBERS

The New York Social Security Number Protection Law was enacted in January 2008. (NY General Business Law § 399-dd) and prohibits businesses from:

• Making employees’ Social Security numbers available to the general public;

• Printing social security numbers on any identification pass or card;

• Requiring the employee to use his/her Social Security number over an Internet exchange that is not secure or that is not encrypted;

• Requiring the employee to use his/her Social Security number to access an Internet Web site without also requiring a PIN or other authenticating device; and

• Printing social security numbers on any correspondence mailed to the employee, unless otherwise required by federal or state law

The following additions to the NY Social Security Number Protection Law are effective January 3, 2009:

• Employers are prohibited from encoding or embedding a Social Security number in a record or document by using a bar code, magnetic strip, or other technology; and

• Employers are prohibited from filing publicly a document with any state agency or political subdivision, or in any court that contains a Social Security number unless by consent or as required by other federal or state law

**********

With these new changes, it is vitally important that employers develop, implement, and communicate to employees the company’s policies and procedures for protecting private employee information. Developing a plan as early as possible is the most effective way to avoid penalties and fines and to prevent security breaches before they happen.

Also as a reminder, changes to the New York Disposal of Records Law (NY General Business Law § 399-h) took effect in September 2008. The law requires employers to take certain precautions when disposing of documents which contain sensitive employee information, including:

• Social Security numbers;

• Driver’s license numbers

• Mother’s maiden name;

• Financial services, checking or debit account numbers or codes, ATM codes

Before disposing of the records, employers must:

• Shred the record before disposal;

• Destroy personal information contained in the record; or

• Modify the record to make the personal information unreadable;

• Take action consistent with common industry practices to ensure no unauthorized person will have access to personal information contained in such records

The law applies to persons, businesses, firms, partnerships, associations, and corporations (excluding state or political subdivisions). However, the law does not apply to an individual person unless he or she is conducting business for profit.

The New York State Attorney General has the authority to halt any improper document disposal practices, and employers may be subject to fines up to $5,000 for violating the statute. 

To avoid liability:

• Employers who do currently have a document disposal policy should:

  • Review and update their policies and procedures and communicate any changes to all employees; and

  • Should continue to make diligent efforts to protect personal employee information as much as possible

• Employers who do not currently have an official document disposal policy should:

  • Develop and implement policies and procedures as soon as possible;

  • Communicate the new policies and procedures to all employees; and

  • Ensure that the policy complies with this and other statutory requirements

Related Documents:

• NY Business Guide to Privacy

If you need assistance with any of these new requirements, or have any questions, please do not hesitate to contact a member of our labor and employment Law group.

Darrell S. Gay
darrell.gay@arentfox.com
212.457.5465

Sonya D. Johnson
Johnson.sonya@arentfox.com
212-457-5474