New York Shredding Laws

N.Y. Gen. Bus. Law § 399-H

This 2008 law, also called the Social Security Number protection Law, defines what a business can do with employee's and customer's social security number. The law prohibits:

  • Intentionally communicating an employee’s social security number to “the general public or otherwise make [it] available to the general public”
  • Printing an employee’s social security number on any card or tag required to access services or benefits provided by the employer
  • Requiring an employee to transmit his or her social security number over the internet unless “the connection is secure or the social security account number is encrypted”
  • Requiring an employee to use his or her social security number to access an internet web site unless “a password or unique personal identification number or other authentication device is also required to access the internet website”
  • Printing an employee’s social security number on any materials to be mailed unless state or federal law requires that this information be on the document.
New York Shredding Laws
It requires:
  • A written privacy policy.
  • Disposal procedures that are consistent with accepted industry practice and satisfy legal requirements, AKA shredding.
  • Locking up and limiting access to employee personal information;
  • Conducting background checks on employees who will have access to personal information;
  • Limiting retention of personal information to only that which is essential;
  • Training employees on privacy and document disposal policies;
  • Encouraging employees to report any possible security breaches;
  • Avoiding using or disclosing an employee’s social security number for any purpose other than that required by law or legitimate and necessary business purpose; and
  • Taking proper security precautions when terminating employees who have access to personal information (e.g., changing computer access codes).

New Jersey Identity Theft Prevention Act

As of January 1, 2006 businesses in New Jersey need to take better care of their customers information. The law is designed to prevent identity theft through safeguarding personally identifying information. If you are a business you must take affirmative steps to protect information of customers. Customers is broadly defined to include anyone who provides information to the business including job applicants and employees. Information is defined as: 1) an individual's first name or first initial and last name linked with his or her account or credit card number in combination with a required security code permitting access to the individual's financial account; 2) one's Social Security number; or, 3) one's driver's license number.

It also prohibits any person or entity from 1) publicly displaying or communicating an individual's Social Security number (or any four or more consecutive numbers from the Social Security number); 2) printing an individual's Social Security number on materials mailed to the individual; 3) printing one's Social Security number on any card required for the individual to access the entity's products or services; 4) requiring an individual to transmit his Social Security number over the Internet unless the connection is secure or the Social Security number encrypted; or 5) requiring an individual to use his Social Security number to access an Internet website unless a password is also required to access the website.

Fair and Accurate Credit Transaction Act (FACTA)

Beginning on June 1, 2005; all businesses and individuals must take appropriate measures to dispose of sensitive information derived from consumer reports. The Disposal Rule calls from proper disposal information to protect against “unauthorized access to or use of the information” in the 2003 law. This could mean burning you documents but for most business it means shredding is now required. This law applies to businesses of any size.

Health Insurance Portability and Accountability Act (HIPAA)

This 1996 law, applies to the security of patients health information. Any organization that handles medical records or other personal health information including a business offering a health plan. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. 

The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. In order to comply with the law all health information must be properly destroyed. For the average health care provider they will need to provide secure bins to their employees to store information to be destroyed. 

Then a standard procedure must be followed for this destruction. This can be mobile or off site shredding but may also include burning. Although the costs to get an incinerator make this impractical.

Get Free Quotes on Shredding Services in Brooklyn

Our network of secure providers offer several shredding services to meet the needs and budget requirements of all types of businesses. Call us at (718) 233-2542 or fill out the form on the right for free quotes from our team of experts.