New Law Impacts Private Sector Employers' Ability to Request Social Security Numbers of Job Applicants
A New York State law which went into effect on December 12, 2012, prohibits individuals and private sector entities (including non-governmental employers) from requiring anyone to disclose their unencrypted social security account numbers, unless one of the law's many exceptions apply. Moreover, an employer may not discriminate against any such individual for refusing to disclose his/her social security number (SSN).
Among the most common exceptions to this new rule are:
The individual consents to the acquisition or use of his or her SSN.
The SSN is expressly required by federal, state, or local law or regulation.
The SSN is to be used for internal verification or fraud investigation.
The SSN is requested in connection with a request for credit or a credit transaction initiated by the consumer or in connection with a lawful request for a consumer report or investigative consumer report (e.g., a background check performed by a third-party in accordance with the provisions of the Fair Credit Reporting Act).
The SSN is requested for purposes of tax compliance.
There is also an exception for when the SSN is required for “purposes of employment.” However, the law gives specific examples of permissible purposes including “in the course of the administration of a claim, benefit, or procedure related to the individual’s employment by the person, including the individual’s termination from employment, retirement from employment, injury suffered during the course of employment, or to check on an unemployment insurance claim of the individual.” Noticeably absent from this list is requiring SSN’s on employment applications. Thus, it appears that employers will need to take a different approach toward obtaining a job applicant’s SSN than simply demanding it on an application form.
As noted above, the law only applies to unencrypted SSNs. Accordingly, employers can avoid this law entirely by providing for the encryption of SSNs requested of job applicants (and employees). Such an approach would accomplish at least one of the goals of this new law, i.e., to encourage companies to implement and maintain greater data security measures when dealing with SSNs.
Another way to avoid possible violations of the law would be to obtain the applicant’s (or employee’s) consent to provide your company with the needed SSN. Many employers already include a statement on their job applications when they ask for SSNs indicating to the applicant that providing the prospective employer with the SSN is purely voluntary. With the passage of this new law, it may be prudent to include a more detailed consent form with any request for an individual’s SSN. Should you need assistance in drafting such a consent form, please feel free to contact our office.
A violation of this new law carries a maximum fine for the first violation of $500 and $1,000 for each subsequent violation. The law provides a defense for employers where they can show that the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.
To take advantage of this defense, employers should review their privacy policies and practices -- and in particular their data management practices -- to make sure that they are designed to avoid violations of this law’s minimum standards.
If you have any questions, please free to contact our office.