New York Enacts Broad-Reaching Law Limiting the Collection of Social Security Numbers


On December 14, 2012, New York enacted A.8992-A/S.6608-A (the “SSN Privacy Law”) into law to help minimize identity theft.  The SSN Privacy Law is broad reaching – it applies not only to businesses operating in New York but also to entities outside New York that are doing business with entities or individuals located in New York.

Except for certain limited circumstances (described below), the SSN Privacy Law prohibits:  (1) requiring an individual to disclose or furnish his or her SSN (as defined below) for any purpose or in connection with any activity; and (2) refusing any service, privilege or right to any individual wholly or in part because such individual refuses to furnish his or her SSN.

The SSN Privacy Law defines “SSN” as the nine-digit number issued by the Social Security Administration and any number derived from such number unless the number (or derivative of the number) is encrypted.   In other words, the SSN Privacy Law extends to requests for the unencrypted last four digits of a social security number.

Exceptions to the SSN Privacy Law include without limitation the following:

  • An individual consents to the acquisition or use of his or her SSN (it is not yet clear whether this means implied or affirmative consent, but this likely means affirmative consent);
  • The SSN is expressly required by a federal, state or local law or regulation;
  • The SSN will be used to process a credit card transaction, in connection with a lawful request for a consumer report or investigating a consumer report;
  • The SSN is requested by a banking institution or will be used in connection with a deposit account or investment;
  • The SSN is required for purposes of employment or claims or benefits relating to employment;
  • An authorized insurance company collects the SSN for the purpose of furnishing information to the Centers for Medicare and Medicaid Services;
  • The SSN is requested for the following purposes:  (1) collecting child or spousal support; (2) determining whether a person has a criminal record; (3) tax compliance; (4) blood or organ donation; or (5) internal verification or fraud investigation.
  • The SSN is requested by a governmental law enforcement agency or is used in connection with the enforcement of a court order;
  • The SSN is requested by a corporation or individual (1) regulated by the New York State Public Service Commission, the Federal Communications Commission, or the Federal Energy Regulatory Commission; or (2) doing business pursuant to a license or other authorization issued by the New York State Public Service Commission.

The SSN Privacy Law is enforced by the New York State Attorney General, and there is no private right of action.  The SSN Privacy Law imposes a fine of note more than $500 per violation for the first offense and not more than $1,000 per violation for the second offense.  However, if a business can establish it implemented reasonable corrective measures after the first violation, and the second violation was unintentional, the unintentional errors will not trigger additional penalties.

Businesses operating in New York and businesses outside New York that are doing business with entities or individuals located in New York should review their practices relating to the collection and use of SSNs to confirm they comply with the SSN Privacy Law.

If you have any questions about how to comply with state or federal privacy laws, please contact Helen Christakos at (650) 696-2545 or at

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Carr McClellan P.C. | Attorney Advertising

Written by:


Carr McClellan P.C. on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.