On May 19, Gov. Dannel P. Malloy signed into law Public Act No. 15-6, titled “An Act Concerning Employee Online Privacy” (the act). The act applies to both employees and job applicants and prohibits employers from requiring or requesting employees or applicants to (1) provide the employer with a user name, password, or other means to access the employee’s or applicant’s personal online account (such as e-mail, social media and retail-based Internet websites); (2) authenticate or access a personal online account in the presence of the employer’s representative; or (3) invite, or accept an invitation from, the employer to join a group affiliated with any personal online account. The act is effective October 1.

Prohibition on Adverse Action

In addition to banning employers from seeking access to employees’ personal online accounts, the act also prohibits employers from discharging, disciplining, discriminating against or otherwise retaliating against an employee who (1) refuses to provide access to a personal online account (subject to certain exceptions discussed below); (2) files a complaint with a public or private body or court about the employer’s request for access or retaliation for refusing such access; or (3) refuses to hire an applicant because the applicant would not provide access to his or her personal online account.

Employer-Related Online Accounts and Company Devices

Online accounts that are not exclusively personal in nature do not fall within the act. Thus, the act permits employers to request or require an employee or applicant to provide access to any account or service that is provided by the employer, or that the employee has access to by virtue of the employee’s work relationship with the employer or uses for business purposes. The act also permits employers to request access to any employee’s electronic communications device supplied or paid for, in whole or in part, by the employer. The term “electronic communication device” is broadly defined and includes any computer, computer network or cellular telephone.

Permissible Investigations

The act does not transform personal online accounts into complete zones of privacy. Under certain circumstances, employers are permitted to conduct investigations into personal online accounts, with certain limitations.

Employers can conduct an investigation involving an employee’s personal online account:

1. based on receiving specific information about activity on an employee’s or applicant’s personal online account to ensure compliance with (a) applicable state or federal laws, (b) regulatory requirements, or (c) prohibitions against work-related employee misconduct; or
2. based on receiving specific information about an employee’s or applicant’s unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to or from a personal online account operated by an employee, applicant, or other source.

Even under these exceptions, however, an employer cannot require unfettered access to an employee’s personal online account. The employer may require the employee to privately access an online personal account and provide the content to the employer, but cannot require disclosure of the user name, password or other means of accessing the personal online account.

If the investigation reveals misconduct, the employer is not without remedy under the act. The act states it is not intended to prevent an employer from complying with the requirements of state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations (including the Securities and Exchange Commission). The act specifically permits an employer to appropriately discipline (which may include termination) an employee or applicant who misappropriates the employer’s proprietary information, confidential information, or financial data to or from the employee’s or applicant’s personal online account.

Enforcement and Remedies

Employees and applicants who believe their employer or potential employer has violated the act may file a complaint with the Connecticut Department of Labor (the CTDOL). The CTDOL must then hold a hearing to investigate the employee’s or applicant’s complaint and must issue a written decision. If the employer is found to be in violation of the act in that it either requested access to an employee’s personal online account or retaliated against an employee for failing to provide access, the CTDOL may grant the employee a wide range of remedies including reinstatement, back pay and any other relief it deems appropriate. The CTDOL may also levy civil penalties of $500 for the first violation and $1,000 for each subsequent violation.

In the case of an applicant, the remedies available are lesser and include civil penalties of up to $25 for first-time violations and $500 for subsequent violations. An employee or applicant who prevails in the hearing is also entitled to reasonable attorneys’ fees and costs. Although the act does not permit an employee or applicant to file a lawsuit in court, any party aggrieved by the CTDOL’s decision may appeal the decision to the Connecticut Superior Court.

Permissible Employer Policies

Under the act employers may still monitor, review, access or block electronic data (1) stored on an electronic communications device paid for in whole or in part by the employer, or (2) traveling through or stored on an employer’s network.

Awareness and Compliance

As noted above, the act goes into effect on October 1. Employers should promptly begin notifying their legal, human resources and supervisory personnel of the new prohibitions under the act.