Written By Thomas Ahearn
Tennessee Governor Bill Haslam has signed a password protection law – the “Employee Online Privacy Act of 2014” (S.B. 1808) – which will prevent employers in the state with one or more employees from requiring employees and job applicants to disclose usernames and passwords for their personal internet accounts except under certain circumstances. The full text of this new law, which takes effect January 1, 2015, is available at http://www.capitol.tn.gov/Bills/108/Bill/SB1808.pdf.
The Employee Online Privacy Act of 2014 amends Tennessee Code Annotated (TCA) Title 5; Title 6; Title 7; Title 8; Title 18; Title 49 and Title 50. Under the Act, an employer shall not:
- Request or require an employee or an applicant to disclose a password that allows access to the employee’s or applicant’s personal Internet account;
- Compel an employee or an applicant to add the employer or an employment agency to the employee’s or applicant’s list of contacts associated with a personal Internet account;
- Compel an employee or an applicant to access a personal Internet account in the presence of the employer in a manner that enables the employer to observe the contents of the employee’s or applicant’s personal Internet account; or
- Take adverse action, fail to hire, or otherwise penalize an employee or applicant because of a failure to disclose information or take an action specified in the above three sections.
However, under Employee Online Privacy Act of 2014, an employer is not prohibited from the following under certain circumstances or unless otherwise provided by law:
- Requesting or requiring an employee to disclose a username or password required only to gain access to: (A) An electronic communications device supplied by or paid for wholly or in part by the employer; or (B) An account or service provided by the employer that is obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes;
- Disciplining or discharging an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal Internet account without the employer’s authorization;
- Conducting an investigation or requiring an employee to cooperate in an investigation if: (A) There is specific information on the employee’s personal Internet account regarding compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct; or (B) The employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to an employee’s personal Internet account;
- Restricting or prohibiting an employee’s access to certain web sites while using an electronic communications device supplied by or paid for wholly or in part by the employer or while using an employer’s network or resources, in accordance with state and federal law;
- Monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device supplied by or paid for wholly or in part by the employer, or stored on an employer’s network, in accordance with state and federal law;
- Complying with a duty to screen employees or applicants before hiring or to monitor or retain employee communications under certain circumstances; or
- Viewing, accessing, or using information about an employee or applicant that can be obtained without violating certain parts of the Act or information that is available in the public domain.
Violations of Tennessee’s Employee Online Privacy Act of 2014 could lead to court awards of not more than one thousand dollars ($1,000) in damages for the individual for each violation found against plus reasonable attorney fees and court costs.
Tennessee joins the growing list of states limiting employer access to personal online content of employees and applicants. In addition to Tennessee, 12 other states – Arkansas, Colorado, Illinois, Louisiana, Maine, Nevada, New Jersey, New Mexico, Oregon, Utah, Washington, and Wisconsin –have already passed similar online privacy protection legislation.
The National Conference of State Legislatures (NCSL) website includes an up to date list of legislation regarding employer access to social media usernames and passwords at http://www.ncsl.org/research/telecommunications-and-information-technology/employer-access-to-social-media-passwords-2013.
ESR NEWS BLOGS ABOUT PRIVACY
For more ESR News blogs about password and user name privacy, visit http://www.esrcheck.com/wordpress/tag/privacy/.