When Social Security Numbers were initially issued in 1936 as part of the New Deal Social Security program, few could foresee that this nine digit number would evolve beyond its limited purpose to become a universal identifier replete with privacy and identity theft implications. More and more, government agencies and private entities have required the disclosure of individuals SSNs to extend their services. While the Privacy Act of 1974 largely addressed the collection and dissemination of SSNs by and among federal government agencies, state law has governed such uses by private entities. This month Governor Andrew Cuomo signed legislation A.8992 to strengthen protection of SSNs by limiting the instances where persons and businesses are allowed to require New Yorkers to provide their SSNs or numbers derived from them. (This is in addition to New York’s SSN confidentiality statute, N.Y. Gen. Bus. Law § 399-dd*4, which is similar to laws in many states.)
A.8992 prohibits individuals and businesses from requiring an individual, absent consent, to disclose or furnish his or her SSN for any purpose in connection with any activity or to refuse any service, privilege or right to an individual because the individual refuses to disclose or furnish his or her SSN. The law does not apply to the state or its political subdivisions. Furthermore, A.8992 carves out several exceptions, including where the SSN is expressly required by federal state or local law or regulation, or required by a banking institution or authorized insurer. Further exceptions include for example where the SSN is required for employment, for internal verification or fraud investigation, or with a request for a credit or credit card transaction initiated by the consumer.
The law is set to take effect 120 days from its enactment, and grants the state attorney general the power to enforce it with civil penalties of up to $500 per violation or up to $1000 per subsequent offense. Judgments in violation of this law can be avoided for unintentional violations resulting from a bona fide error notwithstanding the maintenance of procedures reasonably adopted to avoid such errors With that in mind, companies should implement written policies and procedures for compliance with this law within the next four months.