CVB-53-08-00001-P Prohibited Disclosure of Personal Identifying Information  

This rule is being proposed as a consensus rule because, in accordance with State Administrative Procedure Act § 102(11)(b), it implements or confirms to non-discretionary statutory provisions.

Sections 3 and 6 of Chapter 279 of the Laws of 2008 added new sections 96-a to the Public Officers Law and 203-d to the Labor Law, respectively. These new sections relate to the prohibited conduct of sharing all individuals' social security numbers generally and other personal identifying information of employees specifically. Section 96-a of the Public Officers Law is to take effect on January 1, 2010, and section 203-d of the Labor Law is to take effect on January 7, 2009. The Commissioner of the Department of Labor may impose a civil penalty of up to $500 on any employer for any knowing violation of section 203-d of the Labor Law. Failure to have in place a policy to safeguard a violation of section 203-d of the Labor Law, including procedures to notify relevant employees of its provisions, is presumptive evidence of a violation.

Section 96-a of the Public Officers Law reads as follows: § 96-a. Prohibited conduct. 1. Beginning on January first, two thousand ten the state and its political subdivisions shall not do any of the following, unless required by law:

(a) Intentionally communicate to the general public or otherwise make available to the general public in any manner an individual's social security account number. This paragraph shall not apply to any individual intentionally communicating to the general public or otherwise making available to the general public his or her social security account number.

(b) Print an individual's social security account number on any card or tag required for the individual to access products, services or benefits provided by the state and its political subdivisions.

(c) Require an individual to transmit his or her social security account number over the internet, unless the connection is secure or the social security account number is encrypted.

(d) Require an individual to use his or her social security account number to access an internet web site, unless a password or unique personal identification number or other authentication device is also required to access the internet website.

(e) Include an individual's social security account number, except the last four digits thereof, on any materials that are mailed to the individual, or in any electronic mail that is copied to third parties, unless state or federal law requires the social security account number to be on the document to be mailed. Notwithstanding this paragraph, social security account numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the social security account number. A social security account number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened.

(f) Encode or embed a social security number in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the social security number as required by this section.

(g) Nothing in this section shall prohibit a county clerk or court from making available a document publicly recorded or filed prior to the effective date of this section, provided that if any individual requests redaction of a social security number from a publicly recorded document available to the public online, such number shall be promptly redacted by the county clerk. Nothing in this section shall limit disclosure of criminal history record information currently permitted.

2. As used in this section "social security account number" shall include the nine digit account number issued by the federal social security administration and any number derived therefrom. Such term shall not include any number that has been encrypted.

3. This section does not prevent the collection, use or release of a social security account number as required by state or federal law, or the use of a social security account number for internal verification, fraud investigation or administrative purposes.

Section 203-d of the Labor Law reads as follows: § 203-d. Employee personal identifying information. 1. An employer shall not unless otherwise required by law:

(a) Publicly post or display an employee's social security number;

(b) Visibly print a social security number on any identification badge or card, including any time card;

(c) Place a social security number in files with unrestricted access; or

(d) Communicate an employee's personal identifying information to the general public. For purposes of this section, "personal identifying information" shall include social security number, home address or telephone number, personal electronic mail address, Internet identification name or password, parent's surname prior to marriage, or drivers' license number.

2. A social security number shall not be used as an identification number for purposes of any occupational licensing.

3. The commissioner may impose a civil penalty of up to five hundred dollars on any employer for any knowing violation of this section. It shall be presumptive evidence that a violation of this section was knowing if the employer has not put in place any policies or procedures to safeguard against such violation, including procedures to notify relevant employees of these provisions.

The proposed rule simply mirrors the provisions of these two new sections of law in a new section of 9 NYCRR Part 525. Specifically, the provisions of section 203-d of the Labor Law, require the agency to have in place such a policy. Generally, these provisions are useful for both employees and public alike, so all are made aware of their protections and rights under the laws of New York State.

The New York State Crime Victims Board (the Board) projects there will be no adverse impact on jobs or employment opportunities in the State of New York as a result of this proposed rule change. This proposed rule change simply implements the new statutory requirements of Chapter 279 of the Laws of 2008 as they relate to the prohibited disclosure of social security numbers or personal identifying information. Since nothing in this proposed rule change will create any adverse impacts on jobs or employment opportunities in the state, no further steps were needed to ascertain these facts and none were taken. As apparent from the nature and purpose of this proposed rule change, a full Job Impact Statement is not required and therefore one has not been prepared.