In October and January, two states are either enacting new legislation or amending existing ones aimed at placing more responsibility on employers to protect the personal information of employees, customers, and others with whom they do business. And for good reason: nearly nine million Americans are victims of identity theft each year, according to recent estimates by the Federal Trade Commission (FTC).

In New York, employers already must protect employees’ Social Security numbers through the existing New York Consumer Communication Records Privacy Act (which became effective January 1, 2008). Commencing January 4, 2009, new measures take effect in New York aimed at strengthening existing privacy protections laws, including measures designed to protect employees’ “personal identifying information” more carefully. Key requirements of the new measures prohibit employers from:

• posting or displaying an employee’s Social Security number,
• visibly printing a Social Security number on any identification badge or card (including a time card) OR electronically encoding or embedding Social Security numbers in such a card,
• placing Social Security numbers in files with open access, and
• communicating an employee’s personal identifying information to the general public.

In this law, “personal identifying information” means an employee’s Social Security number, home address or telephone number, personal e-mail address, Internet identification name or password, last name prior to marriage, and drivers’ license number.

The New York law extends these requirements and prohibitions to public employers as well as private ones. It also places strict limits on filing Social Security numbers in publicly-accessible documents (such as state agency or state court documents), and creates an assistance process for New York residents who are victims of identity theft.

Connecticut
Connecticut’s privacy protection law takes effect sooner and creates broader protections than New York’s law.

Starting October 1, 2008, employers in Connecticut must safeguard the personal information of employees and others from misuse by a third party and “destroy, erase, or make unreadable” personal information on computer files and documents before discarding the files. Connecticut employers and businesses must also develop and publicly display (as on their public website) a privacy protection policy designed to safeguard Social Security numbers collected by the business.

The definition of “personal information” for Connecticut’s law is broader than New York’s. Connecticut’s law defines personal information as “information capable of being associated with a particular individual through one or more identifiers, including, but not limited to a social security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.” However, personal information does not include lawfully available public information.

To comply, employers with operations in Connecticut should train employees to properly handle and dispose of personal information, restrict personal information to only certain employees, and encrypt electronic files containing personal information.

Employers who knowingly or intentionally violate the new laws in New York or Connecticut may be required to pay penalties, so it’s important to know the laws. For more information about these new requirements, see the Client Alerts that will be distributed in September and November (before the new laws take effect), or contact your HR Business Partner.