RETRIEVE BILL

 
    * §   399-dd.  Confidentiality  of  social  security  account  number.
  Beginning on and after January first, two thousand eight:
    1. As used in this section  "social  security  account  number"  shall
  include  the number issued by the federal social security administration
  and any number derived from such number. Such term shall not include any
  number that has been encrypted.
    2. No person,  firm,  partnership,  association  or  corporation,  not
  including  the  state or its political subdivisions, shall do any of the
  following:
    (a) Intentionally communicate to the general public or otherwise  make
  available  to  the  general  public in any manner an individual's social
  security  account  number.  This  paragraph  shall  not  apply  to   any
  individual   intentionally   communicating  to  the  general  public  or
  otherwise making available to the  general  public  his  or  her  social
  security account number.
    (b)  Print  an individual's social security account number on any card
  or tag required for the  individual  to  access  products,  services  or
  benefits  provided  by  the  person,  firm,  partnership, association or
  corporation.
    (c) Require an individual to  transmit  his  or  her  social  security
  account number over the internet, unless the connection is secure or the
  social security account number is encrypted.
    (d)  Require  an  individual to use his or her social security account
  number to access an internet web  site,  unless  a  password  or  unique
  personal  identification  number  or other authentication device is also
  required to access the internet website.
    (e) Print an  individual's  social  security  account  number  on  any
  materials that are mailed to the individual, unless state or federal law
  requires  the social security account number to be on the document to be
  mailed. Notwithstanding this paragraph, social security account  numbers
  may  be  included  in  applications  and  forms  sent by mail, including
  documents sent as part of an application or enrollment  process,  or  to
  establish,  amend  or  terminate  an  account, contract or policy, or to
  confirm the accuracy of the social security  account  number.  A  social
  security  account  number  that  is  permitted  to  be mailed under this
  section may not be printed, in whole or part, on  a  postcard  or  other
  mailer  not requiring an envelope, or visible on the envelope or without
  the envelope having been opened.
    3. This section does not prevent the collection, use, or release of  a
  social  security account number as required by state or federal law, the
  use of a social security account number for internal verification, fraud
  investigation or administrative purposes or for  any  business  function
  specifically authorized by 15 U.S.C. 6802.
    4.  Any  person,  firm, partnership, association or corporation having
  possession of the social  security  account  number  of  any  individual
  shall,  to  the extent that such number is maintained for the conduct of
  business or trade, take reasonable measures to ensure that no officer or
  employee has access to such number for any  purpose  other  than  for  a
  legitimate  or necessary purpose related to the conduct of such business
  or trade and provide safeguards necessary  or  appropriate  to  preclude
  unauthorized access to the social security account number and to protect
  the confidentiality of such number.
    5.  Any waiver of the provisions of this section is contrary to public
  policy, and is void and unenforceable.
    6. Whenever there shall be a violation of  this  section,  application
  may  be  made  by  the attorney general in the name of the people of the
  state of New York to a court or justice having jurisdiction by a special
  proceeding to issue an injunction, and upon notice to the  defendant  of

  not  less than five days, to enjoin and restrain the continuance of such
  violations; and if it shall appear to the satisfaction of the  court  or
  justice  that  the  defendant  has,  in  fact, violated this section, an
  injunction  may  be  issued  by  such  court  or  justice, enjoining and
  restraining any further violation,  without  requiring  proof  that  any
  person  has,  in  fact,  been  injured  or  damaged thereby. In any such
  proceeding, the court may make allowances to  the  attorney  general  as
  provided  in  paragraph  six  of subdivision (a) of section eighty-three
  hundred  three  of  the  civil  practice  law  and  rules,  and   direct
  restitution.  In  connection  with  any  such  proposed application, the
  attorney general is authorized to take proof and make a determination of
  the relevant facts and to issue subpoenas in accordance with  the  civil
  practice  law  and  rules.  Whenever  the  court  shall determine that a
  violation of subdivision two of this section has occurred, the court may
  impose a civil penalty of not more  than  one  thousand  dollars  for  a
  single  violation  and  not  more  than one hundred thousand dollars for
  multiple violations resulting from a single act or incident. The  second
  violation  and any violation committed thereafter shall be punishable by
  a civil penalty of not more than five  thousand  dollars  for  a  single
  violation  and  not  more  than  two  hundred fifty thousand dollars for
  multiple violations resulting from a single act or incident. No  person,
  firm,  partnership,  association  or corporation shall be deemed to have
  violated  the  provisions  of  this  section  if  such   person,   firm,
  partnership, association or corporation shows, by a preponderance of the
  evidence,  that  the  violation  was not intentional and resulted from a
  bona fide error  made  notwithstanding  the  maintenance  of  procedures
  reasonably adopted to avoid such error.
    * NB There are 4 § 399-dd's