Monday, June 23, 2014

That's Private? The Employee Online Privacy Act of 2014

Are there any two words that don’t belong in the same sentence more than “online” and “privacy”? Online activity, especially social media posts, are by their nature intended for a broad audience.  But that didn’t stop the Tennessee legislature from passing the “Employee Online Privacy Act of 2014” which was signed into law by Governor Haslam earlier this year.
This new law could have an impact on employers who check an employee’s or applicant’s online activity before making a hiring, promotion, or other employment decision.

The Employee Online Privacy Act prohibits employers, including state and local government entities, from requesting or requiring an employee or an applicant to disclose online activity, like email, Facebook, and twitter accounts. Specifically, the new law prohibits employers from doing the following:
  1. Requesting or requiring an employee or an applicant to disclose a password that allows an employer to access the employee’s or applicant’s personal internet account;
  2. Compelling an employee or an applicant to add the employer to his or her list of contacts associated with a personal internet account;
  3. Compelling an employee or an applicant access a personal internet account in the employer’s presence in a way that enables the employer observe the contents of the employee’s or applicant’s personal internet account; or
  4. Taking an adverse action, failing to hire, or otherwise penalizing an employee or applicant because of a failure to disclose information or take an action specified above.
A "personal Internet account" is an online account used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer. It doesn’t include an online account created, maintained, used, or accessed by an employee or applicant for business-related communications or for a business purpose of the employer.
In addition to setting out prohibitions, the Employee Online Privacy Act also identifies actions that employers are not prohibited from taking. Specifically, under the new law, employers are explicitly permitted to:

  1. Request or require an employee to disclose a username or password required to access an electronic communications device that was provided by or paid for (in whole or in party) by the employer, or an account or service that was provided by the employer that was obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes;
  2. Discipline or discharge an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal internet account;
  3. Conduct an investigation or require an employee to cooperate in an investigation in certain situations;
  4. Restrict or prohibit an employee’s access to certain websites while using equipment or systems provided by the employer;
  5. Monitor, review, access, or block electronic data stored on equipment or a network provided by the employer;
  6. Comply with a duty to screen employees or applicants before hiring or to monitor or retain employee communications as required by federal or state law, for purposes of employment in law enforcement, or for purposes of an investigation into law enforcement officer conduct performed by a law enforcement agency; or
  7. View, access, or use information about an employee or applicant that public or is available in the public domain.
The law has teeth. An employee or applicant who alleges that an employer has violated the Act may file a civil action against an employer for injunctive relief and may recover up to $1,000 in damages for each violation against the individual plus reasonable attorney fees and court costs.   Additionally, the attorney general may file a civil action against an employer on behalf of an employee or applicant. If the court finds a violation, it must award the state up to $1,000 for each violation found.

The law also specifically states that it does not create a duty for employers to search or monitor the activity of a personal internet account, and states that an employer shall not be liable for a failure to request or require an employee or applicant to allow access to an employee’s or applicant’s personal internet.
The new law is effective January 1, 2015.
Next year, employers will need to exercise additional caution when reviewing an employee’s or applicant’s online activity when making employment decisions.  It is significant that the law does not prohibit employers from accessing publicly available information.  However, employees and applicants are likely to misinterpret the scope of the law’s restrictions, which could result in additional headaches for employers.
Before the law becomes effective, employers should examine their policies for accessing online information in connection with making employment decisions to ensure that the employer is following best practices that not only comply with the law but also minimize the employer’s exposure to litigation risks.