Following a handful of other states (such as, California, Illinois, Maryland and Michigan), a new Utah labor law places limits on employers' ability to access the "personal Internet accounts" of employees and applicants. Gov. Gary R. Herbert signed the state's "Internet Employment Privacy Act" (IEPA) on March 26, 2013, together with the "Internet Postsecondary Institution Privacy Act" applying similar restrictions on postsecondary institutions with respect to their students and prospective students.
The IEPA prohibits an employer from asking an employee or applicant to disclose the username and password that allows access to his or her "personal Internet account," as well as taking adverse action against the individual for failing to do so. There are some qualifications and exceptions, however.
First, "personal Internet accounts" are defined to mean online accounts that are used by an employee or applicant "exclusively for personal communications unrelated to any business purpose of the employer." In fact, the statute specifically excludes accounts that are "created, maintained, used, or accessed by an employee or applicant for business related communications or for a business purpose of the employer." Of course, employees frequently use their personal online accounts for business purposes, so it is unclear how widespread the protections under this new law will be.
Consider that most employees' LinkedIn or Facebook accounts likely include some business contacts for their current employer, setting up the argument that the account is maintained or used for a business purpose of the employer. Perhaps the practical effect of the law will be to provide greater protection for applicants who seem less likely to have online personal accounts created, maintained, used or accessed for a business purpose of the employer.
Second, the IEPA sets out some specific exceptions, such as:
- Employers may request or require employees to provide their usernames and passwords to enable the employer to access company-issued (or paid for, in whole or in part) smartphones and other devices, as well as online accounts provided by the employer.
- Employers may discipline employees for making unauthorized transfers of proprietary or confidential company information or financial data to the employee's personal Internet account.
- Employers also may conduct and require employees to cooperate with certain investigations (such as concerning compliance or work-related employee misconduct) when there is specific information about related activity on the employee's personal Internet account.
- Perhaps to address the concerns of those employers who have adopted "BYOD" programs, the law does not prohibit the "monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device supplied by, or paid for in whole or in part by, the employer, or stored on an employer's network, in accordance with state and federal law."
- Employers also are not prohibited under the law from viewing, accessing, or using information that is publicly available on the Internet, although there may be other risks to employers engaging in these activities, such as under the Genetic Information Nondiscrimination Act.
Employees and applicants may sue employers for violating this law, but damages are limited to $500 per violation.
This development only highlights the increasing regulation of employee (and applicant) privacy in cyberspace, particularly for multi-state employers where the laws vary significantly. Employers need to keep on top of these developments, and ensure their managers and supervisors have been trained so they know their limitations in attracting, managing and disciplining employees.