Asking for Your Digits: A Bill to Protect New Yorkers' Privacy


[author: Chandi Abeygunawardana]

When Social Security Numbers were initially issued in 1936 as part of the New Deal Social Security program, few could foresee that this nine digit number would evolve beyond its limited purpose to become a universal identifier replete with privacy and identity theft implications. More and more, government agencies and private entities have required the disclosure of individuals SSNs to extend their services. While the Privacy Act of 1974 largely addressed the collection and dissemination of SSNs by and among federal government agencies, state law has governed such uses by private entities. This month Governor Andrew Cuomo signed legislation A.8992 to strengthen protection of SSNs by limiting the instances where persons and businesses are allowed to require New Yorkers to provide their SSNs or numbers derived from them. (This is in addition to New York’s SSN confidentiality statute, N.Y. Gen. Bus. Law § 399-dd*4, which is similar to laws in many states.)

A.8992 prohibits individuals and businesses from requiring an individual, absent consent, to disclose or furnish his or her SSN for any purpose in connection with any activity or to refuse any service, privilege or right to an individual because the individual refuses to disclose or furnish his or her SSN. The law does not apply to the state or its political subdivisions. Furthermore, A.8992 carves out several exceptions, including where the SSN is expressly required by federal state or local law or regulation, or required by a banking institution or authorized insurer. Further exceptions include for example where the SSN is required for employment, for internal verification or fraud investigation, or with a request for a credit or credit card transaction initiated by the consumer.

The law is set to take effect 120 days from its enactment, and grants the state attorney general the power to enforce it with civil penalties of up to $500 per violation or up to $1000 per subsequent offense. Judgments in violation of this law can be avoided for unintentional violations resulting from a bona fide error notwithstanding the maintenance of procedures reasonably adopted to avoid such errors With that in mind, companies should implement written policies and procedures for compliance with this law within the next four months.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.