Transcription
State Capitol P.O. Box 2062Albany, NY 12220-0062www.its.ny.govNew York StateInformation Technology PolicyIT Policy:Guidance for theUse of SSNs by StateGovernment EntitiesNo: NYS-P10-004Updated: 06/28/2017Issued By: NYS Office of InformationTechnology ServicesOwner: Division of Legal Affairs1.0 Purpose and BenefitsSocial Security numbers (SSNs) are highly sensitive personal identifying information.SSNs are commonly used in identity theft and fraud. Changes to the New York StateLabor Law and Public Officers Law in 2009 and 2010 implemented controls on thecollection and transmission of SSNs by the State and its political subdivisions. Thesechanges to the Labor Law and Public Officers Law reduce the potential for SSNs frombeing subject to unauthorized disclosure.Since 1983, the New York State Personal Privacy Protection Law (PPPL), codified inArticle 6-A of the Public Officers Law has required State agencies to maintain in theirrecords only the personal information relevant and necessary to accomplish a purposeof such agencies: (1) as required to be accomplished by statute or executive order, or(2) as required to implement a program specifically authorized by law. Further, the PPPLobligate agencies to ensure the integrity and security of personal information maintainedin their records. Chapter 279 of the Laws of 2008 amended the PPPL and the LaborLaw to extend to the public entities certain prohibitions already applicable to commercialentities and to establish specific requirements applicable for the use and transmissionof SSNs. More specifically, Chapter 279 added Section 96-a of the Public Officers Lawand Section 203-d of the Labor Law.This policy describes these requirements as they are applicable to State governmententities, providing guidance to ensure the development and deployment of technologyin government is coordinated with consistent approaches for compliance. This guidancewas originally issued by ITS after consultation with the former New York StateConsumer Protection Board, the New York State Department of Labor, and the formerNew York State Office of Cyber Security and Critical Infrastructure Coordination (now a
part of ITS), all of whom or their successor agencies have certain responsibilitiesconcerning the privacy and security of personal identifying information, such as SSNs,used by State government entities. Per statute, an employer’s failure to establishpolicies or procedures to safeguard against privacy breaches may be presumptiveevidence of a violation. State government entities may wish to adopt agency levelpolicies not inconsistent with these guidelines to avoid allegations of breach andimposition of authorized penalties.2.0 AuthorityChapter 279 of the Laws of 2008 contained changes to the New York State Labor Lawwhich went into effect on January 3, 2009, and changes to the New York State PublicOfficers Law, Article 6-A (Personal Privacy Protection Law), which went into effectJanuary 1, 2010, governing the use of SSNs by state agencies and politicalsubdivisions. Many of these changes concern the use of SSNs in technology systems,including the Internet, websites, and electronic mail.Section 2 of Executive Order No. 117 provides the State Chief Information Officer, theauthority to oversee, direct and coordinate the establishment of information technologypolicies, protocols and standards for State government, including hardware, software,security and business re-engineering. Details regarding this authority can be found inNYS ITS Policy NYS-P08-002, Authority to Establish State Enterprise InformationTechnology (IT) Policy, Standards and Guidelines.3.0 ScopeThis policy applies to ITS, all State Entities (SE) that receive services from ITS, andaffiliates of same (e.g., contractors, vendors, solution providers), which have access toor manage SE information. It also serves as recommended practice for the StateUniversity of New York, the City University of New York, non-Executive branchagencies, authorities, NYS local governments and third parties acting on behalf of same.These guidelines apply to all “state government” entities, as defined in NYS ExecutiveOrder 117. They apply to state government entity “technology” “systems,” as defined inthe NYS Information Technology Policies, Standards, and Best Practice GuidelinesGlossary. https://its.ny.gov/glossary4.0 Information StatementNYS LABOR LAW SECTION 203-dA new section 203-d was added to the NYS Labor Law, effective January 3, 2009.These provisions prohibit all New York State employers, including the State in itscapacity as an employer, from:NYS-P10-004Page 2 of 11
Unless required by law:o Publicly posting or displaying an employee’s SSN;o Visibly printing a SSN on any identification badge or card, including a timecard;o Placing a SSN in files with unrestricted access; oro Communicating an employee’s “personal identifying information” to the generalpublic. “Personal identifying information” means any of the following elementsalone or in combination with other elements: an employee’s home address ortelephone number, personal electronic mail address, Internet identification nameor password, parent's surname prior to marriage, drivers' license number, orSSN; orUsing a SSN as an identification number for purposes of any occupational licensing.1Labor Law Section 203-d: (i) states it shall be presumptive evidence of a knowing legalviolation of this section if an employer has not put into place policies or procedures tosafeguard against such violations, including provisions to notify employees; and (ii)provides the Commissioner of Labor authority to impose monetary civil penalties forsuch knowing violations.Accordingly, State government entities should have policies in place to comply with therequirements of section 203-d. These policies should include: an outline of the prohibitions of section 203-d; andprocedures instituted by the State government entity to safeguard against unlawfuldisclosure, including as applicable notice to and training of its workforce.To the extent a State government entity is using technology systems to accomplish anyof the purposes described above (e.g. using the entity’s employees’ SSNs asidentification numbers in its technology systems) it should modify its IT systems tocomply with these requirements.NYS PPPL SECTION 96-a1. A new section 96-a was added to the PPPL, effective January 1, 2010 (hereinafter“Section 96-a”). It extends the prohibitions of Section 399-dd of the GeneralBusiness Law to the context of the State and its political subdivisions (hereinafter“the State”). These restrictions fall into two main groups: (a) prohibitions against whatthe State can do; and (b) limitations on what the State can require individuals to do.Section 96-a defines a “social security account number” to “include the nine-digitaccount number issued by the federal social security administration and any numberderived therefrom” but not “any number that has been encrypted.” Under Section 96-a:1A State Government entity should consult with its Counsel’s Office concerning the requirements of section 203-d of the Labor Law and theirapplicability to its specific circumstances.NYS-P10-004Page 3 of 11
Unless required by law, the State shall not: Intentionally communicate to the general public or otherwise make available to thegeneral public in any manner an individual's social security account number. Print an individual's social security account number on any card or tag required forthe individual to access products, services or benefits provided by the state and itspolitical subdivisions. Include an individual’s social security account number, except for the last four digits,on any materials that are mailed to the individual, or in any electronic mail that iscopied to third parties, unless:o state or federal law requires the social security account number to be on thedocument to be mailed; oro the State chooses to include the social security account number in applicationsand forms sent by mail, including documents sent as part of an application orenrollment process, or to establish, amend or terminate an account, contract orpolicy, or to confirm the accuracy of the social security account number (butsocial security account numbers permitted to be mailed under this exception maynot be printed, in whole or in part, on a postcard or other mailer not requiring anenvelope, or visible on the envelope or without the envelope having beenopened). Encode or embed a SSN in or on a card or document, including, but not limited to,using a bar code, chip, magnetic strip, or other technology, in place of removing theSSN.Unless required by law, the State shall not require an individual to: Transmit the individual’s social security account number over the Internet unless theconnection is secure or the social security account number is encrypted; orUse the individual’s social security account number to access an Internet website,unless a password or unique personal identification number (PIN) or otherauthentication device is also required to access the Internet website. Suchpasswords and PINS should be unique to the individual and based on informationwhich is private and not generally available to others.22The statute contains limited exceptions for the collection, use or release of SSNs for fraud investigations, internal verification or otheradministrative purposes. The existence of these exceptions does not obviate the State government entity’s obligation to otherwise ensure thesecurity and integrity of SSNs. A State government entity should consult with its Counsel’s Office concerning the requirements of section 96a and their applicability to its specific circumstances.NYS-P10-004Page 4 of 11
2. Concerning NYS PPPL section 96-a, all State government entities should:a. Make checklists concerning their use of social security account numbers andSSNs and consult with their attorneys to confirm they are in compliance with thelaw.b. Review the guidance below which was developed to assist State governmententities to comply with the law.c. With regard to printed documents:i. Make a list of all the documents which the State government entityprovides to individuals, such as employees or members of the public, whichshow or contain an individual’s SSN. These can include cards, tags, lettersor forms where the SSN appears on the face of the document and cards ordocuments where the SSN is embedded or encoded in or on the item.ii. Divide this list into two types of documents, i.e., those which are sent bypostal mail for the individual’s personal review only, and those which areintended for public use (e.g., a badge).iii. For documents intended for the individual’s personal review only: State government entities may only use the full SSN:o if required by state or federal law, oro in applications or forms sent by mail that include documents sent aspart of an application or enrollment process, or to establish, amend orterminate an account, contract or policy, or to confirm the accuracy ofthe SSN--but-o for either of the above, only if no portion of the SSN is printed on apostcard or other mailer not requiring an envelope, or visible on theenvelope or without the envelope having been opened. Otherwise, State government entities may only use the last four digits ofthe SSN, refraining from doing even that when possible.iv. For documents intended for public use, State government entities shouldnot use any printed SSNs either in part or in full.State entities should not, unless required by law, required individuals to choose theirSSN as an account ID for the purposes of identification on printed communications.NYS-P10-004Page 5 of 11
d. With regard to e-mail:i. State government entities may not include full SSNs in any electronic mailthat is copied to third parties, unless state or federal law requires it.ii. Otherwise, State government entities may only use the last four digits of theSSN, refraining from doing even that when possible.e. With regard to Internet communications:i. Make a list of all Internet-related communications where the Stategovernment entity requires an individual to transmit his/her full SSN over theInternet in order to register for or file a claim for benefits or services, or wherean individual is required to use his/her SSN to access the State governmententity’s Internet website.ii. Divide this list into two types of communications, i.e., SSN formsubmissions and SSNs used for website access.iii. For these types of communications: For both types of communications, unless required to do so by law, Stategovernment entities are not permitted to require the transmission of theSSN unless the transmission is via a secure (i.e., https) connection or theSSN is encrypted. Unless required to do so by law, a State government entity is not permittedto require SSNs to be used to access internet websites unless apassword, unique personal identifier, or other authentication device is alsorequired. In those cases, in which SSNs are currently used for thispurpose, a State government entity must:o implement multi-factor authentication requiring a password, uniquepersonal identifier, or other authentication device (e.g., a token) toestablish the unique identity of the user; oro provide users with a means of changing their user IDs from an SSN toan identifier that will not identify them personally and is not derivedfrom the SSN. This notice could be provided to all current users of theState government entity’s services in the next general postal or onlinemailing. For prospective users of the State government entity’sservices, any registration screen that asks for the creation of a user IDshould contain a prominent disclaimer warning the individual toexercise care in the selection of a user ID with language such as“Choose an alias to protect your identity. Do not choose anyNYS-P10-004Page 6 of 11
information that identifies you personally (e.g., a Social Securitynumber).”f. With regard to claim form submissions, either printed or electronically: Unless required to do so by law, State government entities are notpermitted to require individuals to print their full SSNs on claim forms,unless required by state or federal law or for internal verification, fraudinvestigation or administrative purposes.A worksheet is attached to the end of this policy to further assist Stategovernment entities complying with these new laws. See Attachment A.5.0 ComplianceThis policy shall take effect upon publication. Compliance is expected with all enterprisepolicies and standards. ITS may amend its policies and standards at any time;compliance with amended policies and standards is expected.6.0 Definitions of Key TermsExcept for terms defined in this policy, all terms shall have the meanings found teGovernmentEntityshall have the same meaning as defined in Executive Order No. 117,first referenced above, and shall include all state agencies,departments, offices, divisions, boards, bureaus, commissions andother entities over which the Governor has executive power and theState University of New York and City University of New York;provided, however, that universities shall be included within thisdefinition to the extent of business and administrative functions ofsuch universities common to State government.NYS-P10-004Page 7 of 11
7.0 Contact InformationSubmit all inquiries and requests for future enhancements to the policy owner at:Division of Legal AffairsReference: NYS-P10-004NYS Office of Information Technology ServicesState Capitol, PO Box 2062Albany, NY 12220-0062Telephone: (518) 473-5115Email: its.sm.dla@its.ny.govStatewide technology policies, standards, and guidelines may be found at thefollowing website: 8.0 Revision HistoryThis policy shall be reviewed at least once every two years to ensure relevancy.Date07/07/2010Description of ChangeOriginal Policy ReleaseReviewerCIO/OFT07/07/2012Scheduled Policy ReviewCIO/OFT09/12/2012Reformatted and updated to reflect currentCIO, agency name, logo and style.Revised to update language and outdatedlinks, after reviewing current status of the law.Scheduled ReviewCIO/OFTReformatted logo and style. Updated languageafter review.Division of TS9.0 Related DocumentsNYS-P10-004Page 8 of 11
ATTACHMENT A: WorksheetUnder provisions of section 96-a of the Personal Privacy Protection Law, Public Officers Law, Article 6-A (the “PPPL”), as amended by chapter 279of the Laws of 2008 and effective January 1, 2010, state agencies and political subdivisions were subject to new restrictions on the collection anduse of Social Security numbers (SSNs). This Worksheet is intended to assist state agencies in complying with the PPPL. Instructions and examplesof responses are provided below. The Worksheet is suggestive only and does not constitute legal advice.Q. 1 HOW AND WHY DOES MY AGENCY COLLECT SSNs?Identifiedinstance inwhich SSNsare collectedIn whichformats arethe SSNscollected?Instructions:Using a newrow for eachentry, identifyan instance inwhich theagency collectsSSNs fromindividuals.Instructions:For eachinstanceidentified inthe firstcolumn,identify theformat for thecollection, ofSSNs e.g.,applicationforms [weband/or paper],claim forms[web and/orpaper],websiteaccess.Example #1:Onapplicationsfor agencybenefits orservices.Example #1:Onapplicationsfor agencybenefits orservices (weband paper).Example #2:Used as anidentifier forlogging in to awebsite.Example #2:Logincredentials onwebsite.What agencypurpose isserved bycollecting SSNsin thisinstance?Instructions:For eachinstanceidentified inthe firstcolumn,explain whatagencypurpose isserved bycollecting SSNsfromindividuals.What is thelegal authorityfor collectingSSNs in thisinstance?How are theseSSNstransmitted?3Are changesneeded tocomply with§96-a?Timetable forindicatedchangesInstructions:For eachinstanceidentified infirst column,identify thelegal authorityfor thecollection ofSSNs.Instructions:For eachinstanceidentified infirst column,identify themanner oftransmission(e.g., by webtransmission; orby fax to anagency faxmachine).Instructions:For eachspecific formatidentified infirst column,identify thenecessaryremediation.Instructions:For eachspecific formatidentified infirst column,identify targetcompletiondate and anymilestonedates.Example #1:For personalidentificationand for taxcalculation andreporting.Stategovernmententity needs tocollect andmaintain SSNin agency filefor thesepurposes.Example #1:Federal or NYStax law; NYSPersonalPrivacyProtection Law(especially the“relevant andnecessary”provisions).Example #1:Web applicationformtransmittedthrough nonsecure (i.e.,non-https)connection.Example #1:Change page tohttps.Example #1:Changecompleted bylaw’s effectivedate of January1,2010, or asreasonably soonas possiblethereafter.Example #2:For personalidentificationand toauthenticatethe individual’sidentity forweb access.Example #2:Wellintentionedbut ill-advisedeffort tocomply withlaws requiringExample #2:Web pagetransmittedthrough nonsecure (i.e.,non-https)connection.Also,Example #2:Connectionchange same asExample #1.Authenticationchange requireseither non-SSNauthenticator orExample #2:Connectionchange same asExample #1.Page re-designforauthenticationchange by3The changes in SSN law address transmission of SSNs. State government entities should also review and confirm with their legal counsel whetherthe manner in which they maintain SSNs complies with the PPPL.NYS-P10-004Page 9 of 11
Identifiedinstance inwhich SSNsare collectedIn whichformats arethe SSNscollected?What agencypurpose isserved bycollecting SSNsin thisinstance?What is thelegal authorityfor collectingSSNs in thisinstance?How are theseSSNstransmitted?3Are changesneeded tocomply with§96-a?Timetable forindicatedchangesvirtual accesssecurity.authenticationby one-factor,publicinformation(i.e., SSN byitself).SSN withpassword orother uniquepersonalidentifier.(milestone andcompletiondates).Q. 2 HOW AND WHY DOES MY AGENCY USE SSNs?How does myWhy does myWhat is the legalagency use SSNs it agency use SSNs in authority for thiscollects?this manner?use?Instructions: ForInstructions: ForInstructions: Ineach specific useeach specific useseparate boxes inidentified in firstidentified in firstthis column,column, identifyidentify the format column, explainwhy your agencythe legalfor each use, e.g.,authority for theuses SSNs in thison cards, tags oruse of SSNs inmanner, and theforms, on printedjustification forthis manner.materials such asenvelopes, letters, such use. If themanner of use is onpostcards or flyersprinted ormailed to theindividual, or on e- electronicmail messages, for materials mailed tothe individual,fraudindicate whetherinvestigation,the purpose of theinternaluse is as part of anverification orenrollment oradministrativeapplicationpurposes.process, or toconfirm theaccuracy of theSSN, or toestablish, amend orterminate anaccount, contractor policy.Example #1:On tax formsmailed to theindividual.NYS-P10-004Example #1:To enableindividual to reporttaxable benefits.State governmententity is requiredto show SSN on taxform.Examples #1:Federal or NYStax law; NYSPersonal PrivacyProtection Law(especially the“relevant andnecessary”provisions).What are thesecurity risks?Instructions: Foreach specific useidentified in thefirst column,review how theSSNS are displayedor transmitted,e.g., would the SSNas displayed on thecommunication bevisible to personsother than the SSNowner?Example #1:If the SSN asdisplayed on thetax form is visiblethrough thewindow of themailing envelope.Are changesneeded to complywith §96-a?Instructions: Foreach specific useidentified in firstcolumn, identifythe necessaryremediationTimetable forindicatedchanges?Instructions: Foreach specificformat identifiedin first column,identify targetcompletion dateand any milestonedates.Example #1:Tax form shouldalways beaccompanied by acover letter whichdoes not displaythe SSN.Example #1:Cover lettershould beincluded with nexttax form mailing.Page 10 of 11
How does myagency use SSNs itcollects?Example #2:As personal ID oncards, tags forcustomers andemployees to usein order to accessbenefits orservices.Why does myagency use SSNs inthis manner?Example #2:For personalidentification.What is the legalauthority for thisuse?Example #2:Well-intentionedbut ill-advisedeffort to complywith lawsrequiring physicalaccess security.What are thesecurity risks?Example #3:Posting on publiclyaccessiblewebsites orotherwise makingavailable for publicinspection newlyreceiveddocumentscontaining SSNsfiled with theagencypursuant to courtrules, commercialcode laws, orother legalrequirements afterthe new SSN lawbecame effective.Example #3:Newly receivedcourt documents;commercial codefilings; clerk’s officedocuments.Example #3:Collection anduse madepursuant to therelevant lawspertaining tothose specificfilings with therequisite Stategovernmententity. Publicrelease of thedocuments toadhere to thoselaws as well as togovernmenttransparencylaws andprinciples.Example #4:Having posted onpublicly accessiblewebsites orotherwise madeavailable for publicinspectionpreviously receiveddocumentscontaining SSNsfiled with theagency pursuantto court rules,commercial codelaws, or other legalrequirementsbefore the newSSN law becameeffective.Example #4:Previously receivedand posted courtdocuments;commercial codefilings; clerk’s officedocumentsExample #4:Collection anduse madepursuant to therelevant lawspertaining tothose specificfilings with therequisite Stategovernmententity. Publicrelease of thedocuments toadhere to thoselaws as well as togovernmenttransparencylaws andprinciples.NYS-P10-004Are changesneeded to complywith §96-a?Example #2:Phase in newpersonal IDprogram that doesnot allow for useof SSN as personalID.Timetable forindicatedchanges?Example #2:For new IDs,immediatelyprohibit use ofSSN. Phase-inconversion ofexisting IDs by(milestone andcompletiondates).Example #3:SSN can be seen byanyone viewing thesite or document.Example #3:SSNs should beredacted fromlists prior toposting anddocuments priorto inclusion inopen recordrepository.Example #3:Immediatelycorrect webpostings.Example #4:SSN can be seen byanyone viewing thesite or document.Example #4:No, unlessrequested to doso by an individualto whom the SSNpertains.Redacting SSNsfrom previouslyposted documentswholesale withoutindividualprompting wouldbe an optimalpractice, shouldresources permitdoing so.Example #4:For documentspreviously madeavailable forpublic inspection,redact uponrequest ofindividual towhom the SSNpertains.Example #2:SSN can be seen byanyone viewing thecard, tag or form.Includes encodedor embedded SSNson cards ordocuments.Page 11 of 11
Consumer Protection Board, the New York State Department of Labor, and the former New York State Office of Cyber Security and Critical Infrastructure Coordination (now a New York State Information Technology Policy No: NYS-P10-004 IT Policy : Guidance for the Use of SSNs by State Government Entities Updated: 06/28/2017 Issued By: NYS Office of Information Technology Services Owner: Division of .
