Connecticut Limits Employer Access to Employees' Personal Online Accounts
On May 19, 2015, Governor Dannel P. Malloy of Connecticut signed Public Act No. 15-6, entitled “An Act Concerning Employee Online Privacy” (“Act”), which will prohibit employers in Connecticut from requiring access to their employees’ or job applicants’ personal online accounts. The Act, which will become effective on October 1, 2015, applies to essentially all employers in Connecticut (with limited exceptions for law enforcement agencies).
The Act states that an employer must not:
request or require that an employee or applicant provide a username and password, password, or any other authentication means for accessing a “personal online account” (see definition below);
request or require that an employee or applicant authenticate or access a personal online account in the presence of such employer;
require that an employee or applicant invite the employer, or accept an invitation from the employer, to join a group affiliated with any personal online account of the employee or applicant;
discharge, discipline, discriminate against, retaliate against, or otherwise penalize any employee who (i) refuses to provide such employer with a username and password, password, or any other authentication means for accessing his or her personal online account; (ii) refuses to authenticate or access a personal online account in the presence of the employer; (iii) refuses to invite the employer or accept an invitation from the employer to join a group affiliated with any personal online account of the employee; or (iv) files any complaint, whether verbal or in writing, with a public or private body or court concerning the employer’s violation of any of the prohibitions set forth above; or
fail or refuse to hire any applicant as a result of his or her refusal to (i) provide such employer with a username and password, password, or any other authentication means for accessing a personal online account; (ii) authenticate or access a personal online account in the presence of such employer; or (iii) invite such employer or accept an invitation from the employer to join a group affiliated with any personal online account of the applicant.
An employer may request or require that an employee or applicant provide a username and password for accessing (i) any account provided by the employer or by virtue of the employee’s employment relationship or that the employee uses for the employer’s business purposes, or (ii) any electronic communications device supplied or paid for, in whole or in part, by the employer.
Definition of “Personal Online Account”
The Act defines a “personal online account” as “any online account that is used by an employee or applicant exclusively for personal purposes and unrelated to any business purpose of such employee’s or applicant’s employer or prospective employer, including but not limited to, e-mail, social media and retail-based Internet web sites.”
The Act contains an exception that allows an employer to require an employee or applicant to give the employer access to his or her personal online account (but not to require the employee or applicant to disclose his or her username and password). Specifically, the Act permits employer access when conducting an investigation:
for the purposes of ensuring compliance with (i) applicable state or federal laws, (ii) regulatory requirements, or (iii) prohibitions against work-related employee misconduct based upon the receipt of specific information about activity on an employee or applicant’s personal online account; or
based on the receipt of specific information about an employee's or applicant’s unauthorized transfer of such employer’s proprietary information, confidential information, or financial data to or from a personal online account operated by the employee, applicant, or other source.
Further, the Act does not prohibit an employer from monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on the employer’s network, in compliance with state and federal law. Finally, the Act does not prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, or case law, or other self-regulatory organizations.
An employee or applicant alleging a violation of the Act may file a complaint with the state Labor Commissioner. The Commissioner will investigate the complaint and may hold a hearing. After the hearing, the Commissioner will send a written copy of his or her decision to each party. Any employee or applicant who prevails in such hearing may be awarded reasonable attorneys’ fees and costs.
If the Commissioner finds that an employee has been aggrieved by an employer’s violation of the Act, he or she may levy a penalty against the employer of up to $500 for the first violation and $1,000 for each subsequent violation and award the employee relief, including rehiring or reinstatement, back wages, and other remedies. If the Commissioner finds that an applicant has been aggrieved, the Commissioner may levy a penalty against the employer of up to $25 for the first violation and $500 for each subsequent violation.
What Employers Should Do Now
In light of the Act, employers with employees in Connecticut should:
consider what policies and practices they have that may violate the Act,
advise employees as to the consequences of creating or having accounts that are used for both personal and business reasons (and are therefore outside the protection of the Act),
implement or review social media policies to ensure that the employees know what business-related information may or may not be posted on unmonitored accounts,
revise interview and hiring practices relating to requesting access to personal online accounts, and
train recruiters and human resources professionals about the Act.