- Effective September 30
- Employers barred from demanding personal account information
Effective September 30, 2014, employers in New Hampshire will be prohibited from requiring employees or job applicants to disclose their login information for accessing any “personal account” or service through an electronic communication device.
The new law (H.B. 1407), signed by Governor Maggie Hassan, adds subdivision “Use of Social Media and Electronic Mail” to the New Hampshire Revised Statutes Annotated (RSA).
A “personal account” means an account, service, or profile on a social networking website used by a current or prospective employee primarily for personal communications unrelated to any business purposes of the employer. This does not apply to any account, service, or profile created, maintained, used, or accessed by a current or prospective employee for the business purposes of the employer or to engage in business-related communications.
In addition to prohibiting employers from requiring employees or applicants to disclose information to access private social media accounts, the new law also bars employers from compelling employees or applicants to add anyone, including the employer or its agent, to a list of contacts associated with the account. Moreover, employers cannot require employees or applicants to reduce the privacy settings to allow a third party to view the contents of the account.
An employer taking or threatening to take disciplinary action against any employee in retaliation for his or her refusal to comply with a request or demand that violates the new law is in violation of the law.
What the Law Does Not Prohibit
The new law does not limit an employer’s right to obtain information that is in the public domain, conduct an investigation, or comply with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations.
An employer may enforce lawful workplace policies (e.g., on Internet and electronic mail use) governing use of the employer’s electronic equipment, monitor use of the employer’s electronic equipment and electronic mail, and request or require an employee to disclose access information to an account or service provided by virtue of his or her employment relationship with the employer or an electronic communication device or online account paid for or supplied by the employer.
An employer that inadvertently receives employee passwords or other access information through monitoring of the employer’s network or employer-provided devices will not be liable for having the information, so long as the information is not used to access the employee’s personal accounts. Moreover, similar to a provision in Louisiana’s law addressing the same issue, technologies such as keylogging or spyware may risk capturing an employee’s username or password, among other things. Employers that are considering using these emerging monitoring technologies should proceed with caution. (For more information on the Louisiana law, see our article, Louisiana Follows Wisconsin and Tennessee in Protecting Employee and Student Personal Online Account Access Information.)
An employer found to have violated the new law may be subject to a civil penalty.
Employers may have legitimate need to access employee or applicant personal social media or other online accounts, as in cases involving theft of trade secrets, disclosures of confidential information, and similar reasons. However, with more than a dozen states already imposing limitations on employer access of personal social media accounts, employers, particularly those operating in multiple states, should be careful in determining what they are permitted to do in each state.