New York Law Now Requires Specific Procedures for Disposing of Personal Employee Information
Posted: June 14, 2006
New York has joined a growing list of states that require employers to use specific procedures to purge employee records of personal identifying information, such as social security numbers. The "Disposal of Personal Records Law" was signed by Governor George Pataki on June 9 and is intended to assist consumers to protect themselves from the growing threat of identity theft. This law does not affect an employer's record retention requirements under state and federal laws, nor the requirements for record retention when there is pending litigation.
Specifically, the law imposes an obligation on New York employers properly to dispose of records containing personal information through one of the following means: shredding, destruction, modification, or other reasonable action to ensure that no unauthorized person will have access to the personal information. This obligation is broader than what employers are required to do under the federal Fair and Accurate Credit Transactions Act, which applies solely to consumer reports. Employment applications, disciplinary notices, and payroll records containing "personal information" are subject to this disposal requirement. In regard to electronic documents, advice from information technology professionals is necessary to ensure that records are destroyed completely.
The law imposes a civil penalty of up to $10,000 for non-compliance and provides the New York State Attorney General with broad enforcement powers. As a concession to employers, the law provides an affirmative defense to a complaint alleging a violation of the law, if the employer can establish it used due diligence to properly dispose of such records.
The Disposal of Personal Records Law demonstrates a continuing commitment by the New York executive and legislative branches to enact legislation protecting individual personal information. The new law joins the 2005 "New York Information Security Breach Act," which requires businesses to advise New York residents and the New York State Attorney General of breaches of information security systems containing personal information (such as social security numbers). Two other new laws also protect individuals from identity theft. The "Security Freeze Law" allows any consumer to place a "freeze" on his or her consumer report to prevent individuals or entities from obtaining access to the report. Employers using third parties to conduct credit checks on applicants or employees must implement protocols to ensure that the credit reporting agency can "unfreeze" the applicant or employee's credit report. The "Anti-Phishing Act" of 2006 prohibits individuals or entities from using deceptive tactics to solicit personal information through electronic communications.
A number of states recently have passed or have pending legislation addressing privacy of personal information, destruction of personal data, and employer obligations to provide notice of security breaches. These states include, but are not limited to, Arkansas, California, Delaware, Florida, Georgia, Illinois, Indiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, Montana, North Dakota, and Washington.
Jackson Lewis attorneys are available to assist employers in developing the privacy, destruction and notification policies required in the 21st century. At the least, it is strongly recommended that employers cease requesting or listing social security numbers on any document where such usage is not required by law.
