New York

Below I briefly review New York’s security breach and other relevant privacy/security law provisions which are sometimes not addressed in a corporation’s privacy and security policies (but should be).  I have also reference and review New York’s Guidance on business best privacy and security practices.  There are three basic areas of inquiry: privacy law pertaining to the protection of confidential information that requires specific actions with respect to specific identifiers (e.g. SSN, DL Number, etc.); obligations of an employer’s to the employer’s employees that include affirmative privacy obligations; and New York’s version of a security breach notification laws currently found in 45 states. New York Consumer Protection Board (“CPB”) is New York’s key agency responsible for protecting the residents of New York by “publicizing unscrupulous and questionable business practices; conducting investigations and hearings; researching issues; developing legislation and creating consumer education programs and materials.”  The CPB has released guidance (New York’s Business Guide to Privacy) that provides an excellent summary of New York State privacy and security laws.  Most actions brought under the discussed statutes must be brought by the State Attorney General.  HIPAA and other Federal Laws (including the new HITECH Act) I have discussed in other blog entries.

NY Security Breach Law

(Security Breach Notification Act 899-aa) (Click here for the New York Statute Database — May Not Work)

Acquisition based trigger- whether the information has been materially compromised, opposed to a risk based approach found in the HITECH Act and also under many other states’ security breach reporting statutes.

New York’s security breach reporting law has no specific safeguards (or pre-security breach) security measures under the breach law but there exist potentially other affirmative duties under other New York laws.

Personal information in New York consists of any information in combination with any one or more of the following data elements:

1.       Social security number;

2.       Driver’s license number or non-driver identification card number; or

3.       Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; “Private information” does not include publicly

New York requires notice to consumer reporting agencies where more than 5,000 persons are affected.

In all instances New York also requires notice to the New York Attorney General, Consumer Protection Board, and State Office of Cyber Security and Critical Infrastructure.

New York Social Security Number Protection Law (effective January 1, 2008)

399-dd New York SSN Protction Act

Other states, other than New York, that have enacted legislation regulating the use of SSNs include Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Illinois, Kansas, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Nebraska, New Jersey, New Mexico, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont and Virginia.[1] New York’s law is significantly different then many other states in fact there exists a wide variety as to the scope and intent of these laws.

The Social Security Number Protection Law prohibits businesses from:

1.       Making a Social Security number available to the general public whether intentionally or not;

2.       Printing Social Security numbers on any card or tag required for an individual to access products, services, or benefits provided by the company;

3.       Requiring an individual to transmit his/her Social Security number over the Internet, unless the connection is secure or the number is encrypted;

4.       Requiring an individual to use his/her Social Security number to access an Internet website, unless a password, PIN, or other type of authenticating device is also required for the individual to access the website; and

5.       Printing an individual’s Social Security number on any materials that are mailed to the individual, unless a State or federal law requires the number to be on the document being mailed.

The following prohibitions, under the Social Security Number Protection Law, became effective January 3, 2009:

1.       Encoding or embedding a Social Security number in or on a card or document, including but not limited to, using a bar code, magnetic strip, or other technology, in place of removing the Social Security number; and

2.       Filing any document available for public inspection with any State agency, political subdivision, or in any court that contains a Social Security account number of any other person, unless such other is a dependent child or has consented to such filing, except as required by federal or State law or regulation, or by court rule.

Additionally, the law provides that any covered individual or entity that possesses Social Security numbers must adopt reasonable safeguards to limit access to the Social Security numbers.  Each covered individual or entity must provide safeguards “necessary” or “appropriate” to include unauthorized access and to protect confidentiality of the numbers.

The first violation of the law may result in a civil penalty of no more than $1,000 for a single violation and $100,000 for multiple violations. Any subsequent violation may result in a civil penalty of no more than $5,000 for a single violation and $250,000 for multiple violations.

New York General Business Law Section.

The New York Employee Personal Identifying Law became effective January 3, 2009.  This law requires the creation of policies and procedures to prevent the prohibited practices outlined below, as well as employee notification of these policies and procedures.

Employers are prohibited from the following actions:

1.       Publicly posting an employee’s Social Security number;

2.       Visibly printing a Social Security number on any identification badge or card, including any time cards;

3.       Placing a Social Security number in files with unrestricted access; and

4.       Communicating an employee’s personal identifying information to the general public. Personal identifying information is defined as a Social Security number, home address or telephone number, e-mail address, Internet identification name or password, parent’s surname prior to marriage or driver’s license.

New York Disposal of Records Law (NY General Business Law § 399-h)(Effective in September 2008)

The updated New York Disposal Record law requires employers to take certain precautions when disposing of documents which contain sensitive employee information, including:

1.       Social Security numbers;

2.       Driver’s license numbers;

3.       Mother’s maiden name; and

4.       Financial services, checking or debit account numbers or codes, ATM codes.

The New York State Attorney General has the authority to halt any improper document disposal practices, and employers may be subject to fines up to $5,000 for violating the statute.

New York Criminal Computer Crime Penal Code

New York also has criminal statute that does not provide for a private right of action NY Penal Code Computer Crime, 156 et seq.–

• Knowingly; intentionally Unauthorized use of computer is a class A misdemeanor; computer tampering in fourth degree is a class A misdemeanor
• Computer tampering in third degree is a class E felony; computer tampering in second degree is a class D felony; computer tampering in first degree is a class C felony;
• Unlawful duplication of computer related material is a class E felony;
• Criminal possession of computer related material is a class E felony

[1] Alaska (A.S. 45.48.400); Arkansas (Ark. Code Ann. § 4-86-107 (2005)); Arizona (Ariz. Rev. Stat. § 44-1373 (2004)); Colorado (Colo. Rev. Stat. § 6-1-715(2006)); Connecticut (Conn. Gen. Stat. § 42-470 (2003)); Georgia (Ga. Code Ann. § 10-1-393.8 (2006)); Hawaii (Haw. Rev. Stat. § 487J-2 (2006)); (Illinois (815 Ill. Comp. Stat. 505/2QQ (2004)); Maryland (Md. Code Ann., Com. Law § 14-3301 et seq. (2005)); Michigan (Mich. Comp. Laws § 445.81 et seq. (2004)); Minnesota (Minn. Stat. § 325E.59 (2005)); Missouri (Mo. Rev. Stat. § 407.1355 (2003)); New Jersey (NJ Stat. Ann. § 56:8-164 (West 2005)); New Mexico (NM Stat. Ann. § 57-12B-4 (2005)); New York (N.Y. Gen. Bus. Law § 399-dd (2006)); North Carolina (N.C. Gen. Stat. § 75-62 (2005)); (Oklahoma (Okla. Stat. tit. 40, § 173.1 (2004)); Pennsylvania (74 Pa. Stat. Ann. § 201 (West 2006); Rhode Island (R.I. Gen. Laws § 6-48-8 (2006)); South Carolina (S.C. Code § 37-20-180 (2008)); Texas (Tex. Bus. & Com. Code Ann. 35.58 (2003)); Utah (Utah Code Ann. § 31A-21-110 (2004)); and Virginia (Va. Code Ann. § 59.1-443.2 (2005)).

          

Related posts:

1. Updated — Summary of 50 State Security Breach Notification Laws Attached is an updated summary of the major provisions of...
2. Enforcement of Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts Delayed Yet Again and Now Emphasizes a“Risk-Based” Approach. The Commonwealth of Massachusetts recently extended the date for compliance...
3. Connecticut and Michigan Require Employer-Employee Privacy Policy Over the last year Employer-Employee “Global” Privacy Policies are becoming...
4. Does your insurance policy cover security incidents? It is important to be aware of whether your insurance...