By: Peter Bennett, Esq. & Frederick B. Finberg, Esq.
The Bennett Law Firm, P.A.
On May 21, 2015, Connecticut Governor Dannel Malloy signed into law a new statute that will restrict an employer’s ability to access email, social media, and the personal online accounts of applicants or current employees. The new law will take effect on October 1, 2015 and will apply to private employers of any size (and virtually all public sector employers).
With a few exceptions, the Act prohibits an employer from requesting that an applicant or employee provide her username and password or a way of accessing a personal online account. The “personal account” refers to an account that is unrelated to any business purpose of the individual’s employer or prospective employer set up outside of work for personal use. This definition applies to email, social media and “retail-based” or online shopping websites. It does not relate to any account “created, maintained, used or accessed by the employer or applicant for business purposes of an employer or prospective employer.”
The Act prohibits an employer from requesting that an employee access an account in its presence so that the employer can observe the account being accessed, requesting that the employee “invite” an employer into an account, or accept an “invitation” from an employer. Unlike similar laws passed in other states, the law stops short of prohibiting an employer from requiring that an employee change the privacy settings on her personal account in a way that would permit an employer to view the individual’s online content.
Employers cannot discharge, discipline, discriminate against, retaliate against or penalize an employee who refuses an employer’s request made in violation of the restrictions, or who initiates a verbal or written complaint concerning a violation.
Employers who violate the law are subject to an initial civil penalty of up to $500 and $1,000 for every subsequent violation. The state DOL can also award the employee “all appropriate relief including rehiring or reinstatement to his or her previous job, payment of back wages, reestablishment of employee benefits or any other remedies that the commissioner may deem appropriate.”
The new law contains several exceptions that relate mainly to workplace investigations conducted by employers to ensure compliance with state or federal laws, regulatory requirements or work-related employee misconduct. Investigations must be based on the employer’s receipt of “specific information about activity on an employee or applicant’s personal online account.” Employers are allowed to conduct investigations based on receipt of specific information about an individual’s unauthorized transfer of the employer’s proprietary information, confidential information or financial data to or from the individual’s personal online account. In this case, the employer may conduct the investigation by “shoulder surfing” the employee’s account (standing next to her while she accesses her personal account in question) but the employer may not demand the username and password, password alone, or other means of accessing the account.
An additional exception permits an employer to request access to any account or service provided by the employer “or by virtue of the employee’s work relationship with the employer” or that the employee uses for business purposes. It also permits the employer to require access to any electronic communications device that the employer paid for in whole or in part. This includes any electronic device capable of transmitting, accepting or processing data, including a computer, computer network and computer system, and cellular or wireless telephone. In other words, the Act imposes no restriction on an employer’s access to information stored in employer-provided accounts or devices. These provisions allow employers to access an employee’s social media account to investigate evidence of lawbreaking such as cyber-bullying and sexual harassment between coworkers.
Regulation of this type is a growing trend. Although Connecticut employers should incorporate this new law into its training, we recommend that employers in all states review their social media and e-mail policies. As previously reported, other agencies, such as the NLRB, now closely scrutinize such policies. For answers to specific questions or to set up a training session before October 1st, please contact Peter Bennett (email@example.com) or Rick Finberg (firstname.lastname@example.org) of The Bennett Law Firm.
For more information about The Bennett Law Firm, P.A., please visit the International Society of Primerus Law Firms.