The New York Social Security Number Protection Law (also known as General Business Law Section 399-dd) helps reduce the risk of identity theft by requiring businesses 1 to reduce their use of Social Security numbers (SSNs) in public communications and to strengthen their security for records containing SSNs. Is your business compliant with General Business Law Section 399-dd (GBL 399-dd)? If not, you are risking potential legal action and significant financial liability. You are also risking the goodwill of your customers and employees who expect you to take all reasonable measures to protect their sensitive personal information including their SSNs.
Across the country, individuals and businesses have been victimized by an epidemic of identity theft that claimed nearly 10 million victims last year, an increase of 22% over the previous year. 2 Annual financial losses for individual identify theft victims have reached as high as $5 billion, and business losses have topped $48 billion. 3 In addition to financial losses, individuals may be forced to spend as much as 130 hours to resolve the financial and legal problems created by identity theft4
The SSN is often referred to as the “key to the kingdom” because of its widespread use by businesses to match individuals to their records and to authenticate identity. 5 Unfortunately, this popularity also makes the SSN an irresistible target for identity thieves. In a recent survey, nearly four in ten identity theft (37%) victims reported that their ordeal began with a theft of their SSNs. 6 Your customers and employees hear every day about how stolen SSNs help identity thieves take over bank accounts or open new ones, pose as the victim to buy property, get a job or apply for medical benefits, and create new identities for criminals evading the law.
Like consumers everywhere, your customers and employees are becoming more educated about identity theft and the need to protect their SSNs from this and related crimes.7 They are becoming more cautious in providing their SSNs and careful in protecting their records that contain SSNs. They expect your business to give their SSN the same level of care and concern. If you have not already done so, you can start by ensuring that your business fully complies with GBL 399-dd.
1. WHAT DOES GBL 399-DD REQUIRE?
GBL 399-dd 8 was enacted into law in 2006 to reduce business 9 collection, printing, mailing and display of individual SSNs 10 in order to reduce the risk of identity theft. The Law recognizes the right of businesses to collect, use and release individual SSNs as required by state or federal law, and also to use them for internal verification, fraud investigation, or administrative purposes. However, those rights are subject to certain obligations related to the public communication of and maintenance of records containing SSNs.
Public Communication of SSNs
GBL 399-dd prohibits businesses from doing or requiring individuals to do any of the actions listed below. These prohibitions should be applied to uses of the full nine-digit SSN and to “any number derived from such number.” This includes uses of partial SSNs (e.g., the last four digits only) as well as the full nine-digit number. Under GBL 399-dd:
| BUSINESSES MAY NOT | BUSINESSES MAY NOT REQUIRE AN INDIVIDUAL TO |
| #1: Intentionally communicate or disclose to the general public an individual's SSN. | #1: Transmit a SSN over the internet unless the connection is secure or SSN is encrypted. |
| #2: Print an individual's SSN on any card or tag required for the individual to access products, services, or benefits. | #2: Use a SSN for website access unless a password/unique personal identification number authenticating device also required. |
| #3: Print an individual's SSN, on any materials that are mailed to the individual, unless: (a) the printing is required by a state or federal law, or, (b) is part of an application or enrollment process, or, (c) is required to establish, amend or terminate an account, contract or policy, or, (d) is required to confirm the accuracy of the SSN, and, (for all of the above) the SSN is not publicly visible on the outside or through the window of the mailing envelope or on a postcard. | |
| #4: Encode or embed a SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the SSN. |
Maintenance of Records Containing SSNs
GBL 399-dd also requires that businesses take reasonable measures to limit access to records containing SSNs to those persons with “a legitimate or necessary purpose” related to the conduct of the business, and to provide security safeguards to preclude unauthorized access and to protect the confidentiality of the SSNs.
2. DOES YOUR BUSINESS NEED TO DO?
Before you can determine what may need to be changed, you must first inventory your current business practices to determine how SSNs are currently being collected, used and stored (including any collection, use and/or storage by third party vendors), and whether all such collection, use and storage can be supported by legal authority and a legitimate business need.
Public Communication of SSNs
Once you know how you are using SSNs, you will need to target any practices that fall into the “prohibition” column in the two charts below. In the charts, the New York State Department of State Division of Consumer Protection offers examples for each prohibition, and guidance for any changes your business may need to make to become fully compliant with GBL 399-dd.
“Businesses May Not” Practices:
| PROHIBITION | EXAMPLES | CPB GUIDANCE |
| #1: Businesses may not intentionally communicate or otherwise make available to the general public the SSN of any individual. | Posting on publicly accessible website, filing of documents available for public inspection. | No public posting of full or partial individual SSNs/no filing of public documents containing SSNs of persons other than the filer unless other person consented to the disclosure or is dependent child. |
| #2: Businesses may not print an individual's SSN on any card or tag required for the individual to access products, services, or benefits. | Using SSN as public ID. | Phase out current ID system. Change to an ID system that uniquely identifies customers without using their SSNs. |
| #3: Businesses may not print an individual's SSN, on any materials that are mailed to the individual, unless one of the exceptions identified in the detailed listings above. If the use is permitted, it must not be publicly visible as explained in #3 above. | Postcards, flyers, letters or other items sent in envelopes through the mail. | Do not include the individual's SSN unless your use fits one of the exceptions identified in #3 above. If the use is permitted, the SSN must not be visible to anyone but the person opening the envelope. No postcards, flyers, printing on the outside of the envelope or visible through the envelope window. |
| #4: Businesses may not encode or embed a SSN in or on a card or document, including, but not limited to, using a bar code, chip, magnetic strip, or other technology, in place of removing the SSN. | Any card or document with embedded or encoded information in or on it. | Phase out current ID system. Change to an ID system that uniquely identifies customers without using their SSNs. |
“Businesses May Not Require an Individual to” Practices:
| PROHIBITION | EXAMPLES | CPB GUIDANCE |
| #1: Businesses may not require an individual to transmit an SSN over the internet unless the connection is secure or SSN is encrypted. | Submission of electronic claim form, transmission of SSN also required for access to website account or record. | In the short term, make page secure (https) or encrypt the SSN. In the long-term, phase-out SSN requirement and move to a different form of identification and authentication that uniquely identifies the individual without using an SSN. |
| #2: Businesses may not require an individual to use a SSN for website access unless a password/unique personal identification number authenticating device also required. | Access to website account or record | In the short term, strengthen authentication by also requiring a password or unique personal identification number (must be private and personal (i.e., a PIN yes, a zip code no). In the long-term, phase-out SSN requirement and move to a different form of identification and authentication that uniquely identifies the individual without using an SSN. |
Maintenance of Records Containing SSNs
GBL 399-dd also requires that businesses take reasonable measures to limit access to records containing SSNs to those persons with “a legitimate or necessary purpose” related to the conduct of the business, and to provide security safeguards to preclude unauthorized access and to protect the confidentiality of the SSNs. You are taking “reasonable measures” if you:
- Create a written security and privacy policy that includes provisions for securing records containing SSNs and limiting employee access to those with a need to know for a specific business purpose. This policy should also prohibit the collection, use and disclosure of SSNs for purposes other than those required by law or to support a legitimate business need.
- Ensure that the “access” provisions of your policy are being followed through proper screening of employees with access to records containing SSNs, periodic training in the proper management of records containing SSNs, regular monitoring of employee access and special security precautions for terminating employees with access.
- Ensure that the “use” provisions of your policy are being followed through periodic training on the proper collection, use and disclosure of SSNs consistent with legal requirements, and institute regular audits of your business handling of SSNs.
- Train employees on the proper disposal of records containing SSNs consistent with New York State GBL 399-h (The New York Disposal of Records Law) and monitor employee compliance.
If you are not yet doing so, you need to immediately begin reducing your business’ use of SSNs and strengthening the security of your records containing SSNs. By doing so you will reduce its risk of legal liability and its risk of suffering financial losses related to customer or employee identify theft. You’ll also gain in goodwill among your customers and employees who see that their risk has been reduced because of your actions. For further information on a full range of business privacy and security issues, please visit the Division’s privacy resources.
- General Business Law Section 399-dd (GBL 399-dd) applies to persons, firms, partnerships, associations and corporations. For this article, these entities are referred to collectively as “businesses.”↑
- http://www.spendonlife.com/guide/2009-identity-theft-statistics ↑
- http://www.privacyrights.org/ar/idtheftsurveys.htm ↑
- http://101-identitytheft.com/ftc_id_theft.htm ↑
- http://realtysecurity.com/blog/2009/06/16/ ↑
- http://www.spendonlife.com/guide/identity-theft-statistics ↑
- See, e.g., the New York State Consumer Protection Board (CPB) identity theft brochure. ↑
- See the Division's Fact Sheet for Business on the New York Social Security Protection Law ↑
- GBL 399-dd applies to persons, firms, partnerships, associations and corporations. This group is referred to collectively above as “businesses.” ↑
- GBL 399-dd also applies to businesses’ collection, use and release of their employees’ SSNs. See also Section 203-d of the New York State Labor Law for additional restrictions related to employees’ SSNs.↑