Earlier this week, Connecticut Governor Dannel P. Malloy signed a law to protect prospective and current employees from employer interference with their “personal online accounts.” The new law, which will take effect on October 1, 2015, defines personal online accounts to include any online account used by a prospective or current employee exclusively for personal purposes (including through electronic mail, social media or retail-based Internet websites). The term does not encompass any account created, maintained, used or accessed by a prospective or current employee for business purposes of the employer.
Specifically, the new law prohibits employers from requesting or requiring a prospective or current employee to:
- divulge his or her username, password, or other authentication information used to access a personal online account; or
- authenticate or access a personal online account in the presence of the employer.
The new law also prevents an employer from requiring a prospective or current employee to invite the employer, or accept an invitation from the employer, to join a group affiliated with his or her personal online account. Employers also may not take an adverse action against a prospective or current employee for refusing to engage in, or for filing a complaint about, such activity.
Despite these prohibitions, an employer may request or require that a prospective or current employee provide the employer with his or her username, password, or other authentication information used to access (i) any account or service provided by the employer or that the employee uses for business purposes of the employer, or (ii) any electronic communications device supplied or paid for, in whole or in part, by the employer.
The new law also expressly allows an employer to conduct an investigation based on the receipt of “specific information” regarding:
- activity on a prospective or current employee’s personal online account for the purpose of ensuring compliance with applicable laws, regulations, or prohibitions against work-related employee misconduct, or
- a prospective or current employee’s unauthorized transfer of the employer’s proprietary, confidential, or financial information to or from a personal online account.
For purposes of the investigation, the employer may require that a prospective or current employee allow access to his or her personal online account, provided that the employer does not require the individual to disclose the username, password or other authentication information for the account.
Moreover, nothing in the new law prevents an employer from:
- monitoring, reviewing, accessing or blocking electronic data stored on an electronic communications device paid for, in whole or in part, by an employer, or traveling through or stored on an employer’s network, in accordance with state and federal law;
- taking adverse action against a prospective or current employee who has transferred, without the employer’s permission, the employer’s proprietary, confidential, or financial information to or from his or her personal online account; or
- otherwise complying with the requirements of federal or state laws, regulations, rules, case law or rules of self-regulatory organizations.
The new law affords prospective and current employees the right to file a complaint with the state labor commissioner. In the event of a violation, the commissioner may levy fines of up to $1,000, as well as order rehiring/reinstatement, back pay, reinstatement of employee benefits, and such other relief as “deemed appropriate.”
Twenty other states have similar laws restricting employer access to a prospective or current employee’s personal social media account, including Arkansas, California, Colorado, Illinois, Louisiana, Maryland, Michigan, Montana, Nevada, New Hampshire, New Jersey, New Mexico, Oklahoma, Oregon, Rhode Island, Tennessee, Utah, Virginia, Washington, and Wisconsin.