February 28, 2012
***************
You may collect your subscribers personal information for legitimate business purposes. These purposes include identification, ascertaining credit worthiness, information that will be needed later to collect a judgment, codes and passwords. The information includes social security number, credit card information, personal passwords, background information and host of other information not readily available to the public. While you can collect this information you must be very careful how it is used and accessed. You must also be vigilant that this information does not leave your office. When contained on paper you must redact the information before permitting it to leave your office. My office, which has a very large collection practice for the alarm industry, has the following policy that our attorneys and support staff must follow:
"Social security numbers, tax ID numbers, credit card information, alarm codes, and other personal or sensitive information must be redacted from all legal documents prepared by this office. Any document that goes to arbitration or to court must be checked for all of these types of information. That means exhibits in complaints, demands for arbitration, petitions, etc. If a contract containing any such information is to be used as an exhibit in a legal document, then the information must be redacted before the document is given to an attorney to review and sign. Attorneys are not to sign any legal document if the file contains a document that needs to have certain information redacted and it hasn’t been done yet. Do not write any of the information that needs to be redacted into the file. Instead, keep an unredacted copy in the file in case we need it later for permissible use – as a trial exhibit, to perform a search, or for judgment enforcement. When closing out files, you need to redact social security numbers from the unredacted copy kept in the file."
Here's why we are so careful, and you should be too:
Failure to follow these procedures may result in severe penalties.
New York General Business Law section 399-dd*4 provides in relevant part as follows:
"No person [or] firm … shall do any of the following: Intentionally communicate to the general public or otherwise make available to the general public in any manner an individual’s social security number....
Any person [or] firm … having possession of the social security account number of any individual shall, to the extent that such number is maintained for the conduct of business … take reasonable measures to ensure that no … employee has access to such number for any purpose other than for a legitimate or necessary purpose related to the conduct of such business … and provide safeguards necessary or appropriate to preclude unauthorized access to the social security account number and to protect the confidentiality of such number....
No person may file any document … in any court of this state that contains a social security account number of any other person...."
The penalties for violation are severe - $1,000 for a single violation or $100,000 for multiple violations resulting from a single act or incident – and the numbers go up significantly upon subsequent violations.
Failure to properly redact certain information is also a violation of the Federal Red Flags Rules and may result in severe penalties. There is currently a $3,500 penalty for each violation and violators may also be subject to court ordered injunctive relief.
By the way, ignorance of the law is irrelevant, as is who in your office is the offender. You're the one that's going to be sued and have to pay the judgment. Be careful what you send out of your office and who you send it to. Who ever you're sending it to needs to be as careful as you to make sure that any document is properly and thoroughly redacted of personal identification information.
Federal Law
Federal Trade Commission red flag rules, codified in 15 U.S.C. § 1681 require companies holding consumer accounts to adopt policies to detect to prevent the unauthorized disclosure of information and identity theft
Texas Law
Section 501.052 of the Texas Business and Commerce Code requires any business that requires individuals to disclose their social security number to obtain goods or services or enter into a business transaction to have a privacy policy on file that describes how social security numbers are collected used, and protected in addition to other information.
Not sure how to comply, call Gene Rosen, Esq., at 516 747 6700 ext 303. He our Managing Attorney in our Alarm Collection Department. He can also be reached at GRosen@KirschenbaumEsq.com. Our alarm collection practice is limited to New York and New Jersey.