Thank you for sharing!

Your article was successfully shared with the contacts you provided.
On May 21, Governor David A. Paterson introduced in the state Legislature an extensive bill dealing with identity theft. In his accompanying memorandum, Mr. Paterson stated that he wants to eliminate gaps in the state’s identity theft laws. 1 “Victims of identity theft and financial fraud in New York State face barriers in receiving important assistance, information, and resources . . . [and] have an arduous task in repairing their financial record, credit rating, and well being.” 2 The bill would amend the Executive Law, the General Business Law, the Public Officers Law, the Labor Law, the Penal Law and the Criminal Procedure Law. In substantial part, the impetus for its introduction emanates from the drastically increased number of disclosures of personal data security breaches 3 occurring over the past few years. Executive Law §553 presently empowers the state’s Consumer Protection Board to assist victims of identity theft. The board has authority to investigate, resolve, and refer to the attorney general identity theft complaints. Victims can seek assistance from the board for the purpose of rectifying their financial and credit history. Section 1 of the bill would amend §553(2) by adding a new subsection (f) to create a procedure by which identity theft victims could receive additional assistance from the board. Under the bill, the board would acquire authority to promulgate regulations establishing a process for (i) administering the identity theft prevention and mitigation program, and (ii) acting as a liaison between victims and any state agency to facilitate resolution of the problems resulting from identity theft. General Business Law §380-t presently deals with security freezes, and specifies that the consumer must initiate a freeze in writing. Section 2 of the bill would permit consumers alternatively to freeze their credit reports by secure electronic means, or by phone, and would also reduce the number of business days the credit reporting agencies (CRAs) would then have to implement the freeze, 4 and to lift it temporarily at the consumer’s request. 5 And any time a CRA is required to send New York consumers a summary of rights, the CRA would have to inform the consumer of these time periods. Moreover, each CRA would be required to have a secure Web site and dedicated toll-free phone number for processing such requests. Section 3 of the bill would amend the Public Officers Law by adding a §96, which would impose on the state and its political subdivisions prohibitions on the use of Social Security numbers (SSNs) that already apply to the private sector. Under the bill, absent a contrary requirement of state or federal law, neither the state nor its political subdivisions may intentionally communicate to the general public an SSN, print an SSN on any card required for the owner to access products or services, require an individual to transmit his or her SSN over the Internet (unless encrypted or through a secure connection), require an individual to use an SSN to access a Web site (unless a password is also required), print an SSN on a document mailed to the individual, embed an SSN on a card (e.g., using a bar code or on a chip) instead of removing it as required by this section; or file in court, 6 available for public inspection, a document that contains an SSN (unless of a dependent child or with consent). 7 Section 7 of the bill would add to the General Business Law an Article 32-A, entitled “Protection of Sensitive Personal Information.” This article governs the activities of “individual reference services providers” (IRSPs), 8 i.e., persons or entities 9 primarily engaging in the business of collecting, assembling, transmitting, or maintaining sensitive personal information” (SPI) for the purpose of providing it to third parties for consideration. SPI is defined as any of 10 items relating to an identifiable individual: SSN; mother’s former or current name; birth date; the number of a passport, driver’s license, or alien registration; bank account and “investment information”; “tax information”; “medical information”; driving record; criminal record; and history of civil actions. The bill would require IRSPs to create an exclusion list to give individuals the right to prevent the IRSP from disclosing SPI to third parties. 10 The ban would go into effect 15 days after the individual’s name appeared on the IRSP’s exclusion list, and would remain in effect for five years. Each IRSP would be required to post clearly and conspicuously on its Web site a notice regarding the individual’s rights and the procedure for exercising them. Inclusion on the list may be made, at no charge to individuals, by toll-free phone, mail, e-mail or in person. In addition, each IRSP must establish appropriate administrative, technical and physical safeguards to ensure the security of SPI. Information on the inclusion list may be used solely for compliance with this section or in an action commenced under it, and would not be subject to public disclosure. The attorney general could bring an action for violation of this article and obtain an injunction absent a showing of injury; the court would be empowered to impose a civil penalty of up to $5,000 per violation. Labor Law Addition Section 8 of the bill would add Labor Law §203-d, placing several prohibitions on employers. Employers would not be permitted publicly to display more than the last four digits of an employee’s SSN, visibly print more than four sequential digits of an SSN on an ID badge or card, place an SSN in files with unrestricted access, or communicate an employee’s personal identifying information to the public. 11 Moreover, an SSN may not be used as an ID number for purposes of occupational licensing. The bill would empower the commissioner of labor to impose a civil penalty of up to $500 on an employer for a knowing violation. Penal Law §60.27(1) presently permits district attorneys to seek, on behalf of victims, (i) restitution of the fruits of the offense, (ii) reparation for actual out-of-pocket loss, and (iii) costs or losses incurred by “adverse action,” defined as “actual loss incurred by the victim and the consequential financial losses from such action.” Section 9 of the bill would state expressly that “adverse action” includes the value of “time reasonably spent by the victim attempting to remediate the intended or actual harm incurred by the victim from the offense, and the consequential financial losses from such action.” Sections 10 and 11 of the bill are directed to a new Penal Law section 190.85, which would make it felonious to possess a skimmer device 12 with intent to use it, or with knowledge that it is intended to be used in furtherance of identity theft or unlawful possession of personal information. Conclusion The governor has introduced a relatively broad and ambitious bill. But where the rubber meets the road, it may have less than the intended effect. The bill follows the typical New York practice of expressly enabling government action, and providing neither an express private right of action nor statutory damages. Presently, damages that the district attorney may seek include the perpetrator’s fruits, the victim’s out-of-pocket, and the victim’s losses from “adverse action.” In the vast majority of identity thefts, the perpetrator gains nothing, and the victim suffers little if any out-of-pocket. Moreover, the present definition of “adverse action” is vague. By expressly providing that a victim may be reimbursed for the value of time spent on remediating intended or actual harm, the bill may or may not ratchet up damages that will be proved in a typical action. But enforcement will still depend on the willingness of overworked government lawyers to bring actions alleging this type of vexatious and annoying, but non-violent, crime. David Bender, a solo practitioner in Dobbs Ferry, specializes in privacy, information technology and intellectual property law. Endnotes: 1. According to the Federal Trade Commission’s Identity Theft Clearinghouse, in 2006 New York ranked sixth among the states in per capita identity theft complaints. 2. Governor’s Program Bill #58. p. 2 (May 21, 2008). 3. Also, the “heightened level of vulnerability and exposure created by the compilation of large electronic databases necessitates a greater level of risk sensitivity.” Governor’s Program Bill #58, p. 2 (May 21, 2008). 4. After Sept. 1, 2009, the period would be one business day. It is presently four business days. 5. After Sept. 1, 2009, the period, for requests made by phone or electronically, would be 15 minutes. For written requests, it is presently three business days. 6. The term SSN also includes any number derived from more than four digits of the government-issued SSN, unless encrypted. County clerks and courts are permitted to make available documents publicly filed prior to the effective date of this section, provided that an individual may demand prompt redaction of his or her SSN. Also, the section does not preclude use of SSNs for internal verification, fraud investigation, or administrative purposes. 7. Sections 4, 5 and 6 of the bill are directed to conforming certain General Business Law provisions dealing with the display of SSNs to the changes set forth in §3 of the bill. These sections would amend General Business Law §399-dd(1) to bring the definition of SSN into conformity with the definition set forth in §3 of the bill; would add a subsection to General Business Law §399-dd(2) to prohibit embedding a SSN on a card in lieu of removing it; and would add a subsection to General Business Law §399-dd(6) prohibiting the filing with any state agency, political subdivision or court of a document making available publicly a SSN (unless with consent or of a dependent child). 8. The bill appears to use this term interchangeably with the term “information broker,” which the bill does not define. An IRSP seems to be what is generally called a data aggregator or data broker. If so, it is not clear why the bill does not use the accepted term. 9. The bill would not apply to federal or state government units; CRAs, entities with established business relationships with the data subject who furnish information (i) to a CRA for a consumer report, or (ii) communicate it to non-affiliates for non-marketing purposes; the media; private investigators; and labor unions engaged in permitted practices. Providing information to federal or state government is also excluded. 10. However, disclosure would be permitted to government or in response to a court order. 11. “Personal identifying information” “include[s]” SSN, home address and phone number, personal e-mail address, Internet identification name or password, parent’s surname before marriage, and driver’s license number. 12. The bill defines this as “a device designed, adapted, or used to obtain personal identifying information from a credit card, debit card, public benefit card, access card or device, or other card or device that contains personal identifying information.”

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.