On December 14, 2012, New York enacted A.8992-A/S.6608-A (the “SSN Privacy Law”) into law to help minimize identity theft. The SSN Privacy Law is broad reaching – it applies not only to businesses operating in New York but also to entities outside New York that are doing business with entities or individuals located in New York.
Except for certain limited circumstances (described below), the SSN Privacy Law prohibits: (1) requiring an individual to disclose or furnish his or her SSN (as defined below) for any purpose or in connection with any activity; and (2) refusing any service, privilege or right to any individual wholly or in part because such individual refuses to furnish his or her SSN.
The SSN Privacy Law defines “SSN” as the nine-digit number issued by the Social Security Administration and any number derived from such number unless the number (or derivative of the number) is encrypted. In other words, the SSN Privacy Law extends to requests for the unencrypted last four digits of a social security number.
Exceptions to the SSN Privacy Law include without limitation the following:
- An individual consents to the acquisition or use of his or her SSN (it is not yet clear whether this means implied or affirmative consent, but this likely means affirmative consent);
- The SSN is expressly required by a federal, state or local law or regulation;
- The SSN will be used to process a credit card transaction, in connection with a lawful request for a consumer report or investigating a consumer report;
- The SSN is requested by a banking institution or will be used in connection with a deposit account or investment;
- The SSN is required for purposes of employment or claims or benefits relating to employment;
- An authorized insurance company collects the SSN for the purpose of furnishing information to the Centers for Medicare and Medicaid Services;
- The SSN is requested for the following purposes: (1) collecting child or spousal support; (2) determining whether a person has a criminal record; (3) tax compliance; (4) blood or organ donation; or (5) internal verification or fraud investigation.
- The SSN is requested by a governmental law enforcement agency or is used in connection with the enforcement of a court order;
- The SSN is requested by a corporation or individual (1) regulated by the New York State Public Service Commission, the Federal Communications Commission, or the Federal Energy Regulatory Commission; or (2) doing business pursuant to a license or other authorization issued by the New York State Public Service Commission.
The SSN Privacy Law is enforced by the New York State Attorney General, and there is no private right of action. The SSN Privacy Law imposes a fine of note more than $500 per violation for the first offense and not more than $1,000 per violation for the second offense. However, if a business can establish it implemented reasonable corrective measures after the first violation, and the second violation was unintentional, the unintentional errors will not trigger additional penalties.
Businesses operating in New York and businesses outside New York that are doing business with entities or individuals located in New York should review their practices relating to the collection and use of SSNs to confirm they comply with the SSN Privacy Law.
If you have any questions about how to comply with state or federal privacy laws, please contact Helen Christakos at (650) 696-2545 or at hchristakos@carr-mcclellan.com.