Download a PDF of this piece

Epstein Becker Green Labor and EmploymentOn May 19, 2015, Governor Dannel P. Malloy of Connecticut signed Public Act No. 15-6, entitled “An Act Concerning Employee Online Privacy” (“Act”), which will prohibit employers in Connecticut from requiring access to their employees’ or job applicants’ personal online accounts. The Act, which will become effective on October 1, 2015, applies to essentially all employers in Connecticut (with limited exceptions for law enforcement agencies).

The Act states that an employer must not:

  1. request or require that an employee or applicant provide a username and password, password, or any other authentication means for accessing a “personal online account” (see definition below);
  2. request or require that an employee or applicant authenticate or access a personal online account in the presence of such employer;
  3. require that an employee or applicant invite the employer, or accept an invitation from the employer, to join a group affiliated with any personal online account of the employee or applicant;
  4. discharge, discipline, discriminate against, retaliate against, or otherwise penalize any employee who (i) refuses to provide such employer with a username and password, password, or any other authentication means for accessing his or her personal online account; (ii) refuses to authenticate or access a personal online account in the presence of the employer; (iii) refuses to invite the employer or accept an invitation from the employer to join a group affiliated with any personal online account of the employee; or (iv) files any complaint, whether verbal or in writing, with a public or private body or court concerning the employer’s violation of any of the prohibitions set forth above; or
  5. fail or refuse to hire any applicant as a result of his or her refusal to (i) provide such employer with a username and password, password, or any other authentication means for accessing a personal online account; (ii) authenticate or access a personal online account in the presence of such employer; or (iii) invite such employer or accept an invitation from the employer to join a group affiliated with any personal online account of the applicant.

An employer may request or require that an employee or applicant provide a username and password for accessing (i) any account provided by the employer or by virtue of the employee’s employment relationship or that the employee uses for the employer’s business purposes, or (ii) any electronic communications device supplied or paid for, in whole or in part, by the employer.

Definition of “Personal Online Account”

The Act defines a “personal online account” as “any online account that is used by an employee or applicant exclusively for personal purposes and unrelated to any business purpose of such employee’s or applicant’s employer or prospective employer, including but not limited to, e-mail, social media and retail-based Internet web sites.”

Exceptions

The Act contains an exception that allows an employer to require an employee or applicant to give the employer access to his or her personal online account (but not to require the employee or applicant to disclose his or her username and password). Specifically, the Act permits employer access when conducting an investigation:

  1. for the purposes of ensuring compliance with (i) applicable state or federal laws, (ii) regulatory requirements, or (iii) prohibitions against work-related employee misconduct based upon the receipt of specific information about activity on an employee or applicant’s personal online account; or
  2. based on the receipt of specific information about an employee's or applicant's unauthorized transfer of such employer’s proprietary information, confidential information, or financial data to or from a personal online account operated by the employee, applicant, or other source.

Further, the Act does not prohibit an employer from monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device paid for, in whole or in part, by the employer, or traveling through or stored on the employer’s network, in compliance with state and federal law. Finally, the Act does not prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, or case law, or other self-regulatory organizations.

Enforcement

An employee or applicant alleging a violation of the Act may file a complaint with the state Labor Commissioner. The Commissioner will investigate the complaint and may hold a hearing. After the hearing, the Commissioner will send a written copy of his or her decision to each party. Any employee or applicant who prevails in such hearing may be awarded reasonable attorneys’ fees and costs.

Penalties

If the Commissioner finds that an employee has been aggrieved by an employer’s violation of the Act, he or she may levy a penalty against the employer of up to $500 for the first violation and $1,000 for each subsequent violation and award the employee relief, including rehiring or reinstatement, back wages, and other remedies. If the Commissioner finds that an applicant has been aggrieved, the Commissioner may levy a penalty against the employer of up to $25 for the first violation and $500 for each subsequent violation.

What Employers Should Do Now

In light of the Act, employers with employees in Connecticut should:

  • consider what policies and practices they have that may violate the Act,
  • advise employees as to the consequences of creating or having accounts that are used for both personal and business reasons (and are therefore outside the protection of the Act),
  • implement or review social media policies to ensure that the employees know what business-related information may or may not be posted on unmonitored accounts,
  • revise interview and hiring practices relating to requesting access to personal online accounts, and
  • train recruiters and human resources professionals about the Act.

****

For more information about this Advisory, please contact:

Peter M. Stein
Stamford
203-326-7420
PStein@ebglaw.com		 Carol J. Faherty
Stamford
203-326-7408
CFaherty@ebglaw.com
Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.