On May 19, Governor Dannel P. Malloy signed into law Public Act No. 15-6, titled "An Act Concerning Employee Online Privacy" (the act). The act applies to both employees and job applicants and prohibits employers from: (1) requiring or requesting employees or applicants to provide the employer with a user name, password, or other means to access the employee's or applicant's personal online account (such as e-mail, social media and retail-based Internet websites); (2) requiring or requesting employees or applicants to authenticate or access a personal online account in the presence of the employer's representative; or (3) requiring employees or applicants to invite, or accept an invitation from, the employer to join a group affiliated with any personal online account. The act is effective October 1.
Prohibition on Adverse Action
In addition to banning employers from seeking access to employees' personal online accounts, the act also prohibits employers from (1) discharging, disciplining, discriminating against or otherwise retaliating against an employee who refuses to provide access to a personal online account (subject to certain exceptions discussed below); (2) discharging, disciplining, discriminating against or otherwise retaliating against an employee who files a complaint with a public or private body or court about the employer's request for access or retaliation for refusing such access; or (3) refusing to hire an applicant because the applicant would not provide access to his or her personal online account.
Employer-Related Online Accounts and Company Devices
Online accounts that are not exclusively personal in nature do not fall within the act. Thus, the act permits employers to request or require an employee or applicant to provide access to any account or service that is provided by the employer, or that the employee has access to by virtue of the employee's work relationship with the employer or uses for business purposes. The act also permits employers to request access to any employee's electronic communications device supplied or paid for, in whole or in part, by the employer. The term "electronic communication device" is broadly defined and includes any computer, computer network or cellular telephone.
The act does not transform personal online accounts into complete zones of privacy. Under certain circumstances, employers are permitted to conduct investigations into personal online accounts, with certain limitations.
Employers can conduct an investigation involving an employee's personal online account:
Even under these exceptions, however, an employer cannot require unfettered access to an employee's personal online account. The employer may require the employee to privately access an online personal account and provide the content to the employer, but cannot require disclosure of the user name, password or other means of accessing the personal online account.
If the investigation reveals misconduct, the employer is not without remedy under the act. The act states it is not intended to prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations (including the Securities and Exchange Commission). The act specifically permits an employer to appropriately discipline (which may include termination) an employee or applicant who misappropriates the employer's proprietary information, confidential information, or financial data to or from the employee's or applicant's personal online account.
Enforcement and Remedies
Employees and applicants who believe their employer or potential employer has violated the act may file a complaint with the Connecticut Department of Labor (the CTDOL). The CTDOL must then hold a hearing to investigate the employee's or applicant's complaint and must issue a written decision. If the employer is found to be in violation of the act in that it either requested access to an employee's personal online account or retaliated against an employee for failing to provide access, the CTDOL may grant the employee a wide range of remedies including reinstatement, back pay and any other relief it deems appropriate. The CTDOL may also levy civil penalties of $500 for the first violation and $1,000 for each subsequent violation.
In the case of an applicant, the remedies available are lesser and include civil penalties of up to $25 for first-time violations and $500 for subsequent violations. An employee or applicant who prevails in the hearing is also entitled to reasonable attorneys' fees and costs. Although the act does not permit an employee or applicant to file a lawsuit in court, any party aggrieved by the CTDOL's decision may appeal the decision to the Connecticut Superior Court.
Permissible Employer Policies
Under the act employers may still monitor, review, access or block electronic data (1) stored on an electronic communications device paid for in whole or in part by the employer, or (2) traveling through or stored on an employer's network.
Day Pitney Alert
Day Pitney Alert
Day Pitney Alert
Heather Weine Brochin and Gregory Tabakman authored an article entitled "Third Circuit Advises that Employer Must Pay Employees for Short Rest Breaks," which was published by the New Jersey Law Journal.
Day Pitney partner Francine Esposito will speak at the upcoming webinar "Workplace Leave Laws: Strategies to Navigate the Changing Landscape in the U.S." Taking place on Sept. 14 at 2 p.m., the webinar is the first in a series of webinars hosted by the Employment Law Alliance (ELA) on workplace leave laws around the globe.
Day Pitney associate Arianna Mouré was featured in an article, "Practicing Law and Contributing to the Greater Good," published in the Fall/Winter 2018 edition of the Rutgers University School of Arts and Sciences Access Newsletter.
John McLafferty was quoted in an article, "Employment Lawyers Leery of Bill Banning NDAs, Arbitration," published by Massachusetts Lawyers Weekly.
Heather Weine Brochin was quoted in an article, "Confidentiality Disqualifies Harassment Settlement Tax Deductions," published on the Society for Human Resource Management (SHRM) website.
John McLafferty was quoted in an article, "How Employers' Haunted House and Fright Night Went Way Wrong," published on the Society for Human Resource Management (SHRM) website.