Utah recently passed the Internet Employment Privacy Act (IEPA), a law designed to provide protections for personal Internet accounts. Under the IEPA, which becomes effective May 14, 2013, employers may not:
- Request that employees or applicants disclose usernames and passwords, or passwords that allow access to the employees’ or applicants’ personal Internet accounts; or
- Take adverse action, fail to hire, or otherwise penalize employees or applicants for failing to disclose such usernames and passwords.
Under the law, “adverse action” includes discharging, threatening, or otherwise discriminating against an employee in any manner that affects the employee’s employment (including compensation, terms, conditions, location, rights, immunities, promotions, or privileges).
A “personal Internet account” is an online account that is used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer. It does not include an account created, maintained, used, or accessed by an employee or applicant for business-related communications or for a business purpose of the employer.
Exceptions. The IEPA also makes clear, however, that employers are not prohibited from:
- Requesting or requiring employees to disclose usernames or passwords required only to gain access to: (1) an electronic communications device supplied by or paid for in whole or in part by the employer; or (2) an account or service provided by the employer, obtained by virtue of the employee's employment relationship with the employer, and used for the employer’s business purposes;
- Disciplining or discharging an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal Internet account without the employer’s authorization;
- Conducting an investigation or requiring employees to cooperate in an investigation if : (1) there is specific information about activity on an employee’s personal Internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct; or (2) the employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to an employee’s personal Internet account;
- Restricting or prohibiting employees’ access to certain websites while using
electronic communications devices supplied by, or paid for in whole or in part by, the employer or while using an employer’s network or resources, in accordance with state and federal law; or
- Monitoring, reviewing, accessing, or blocking electronic data stored on electronic communications devices supplied by, or paid for in whole or in part by, the employer, or stored on an employer’s network, in accordance with state and federal law.
The law also makes clear that it does not prohibit or restrict employers from complying with a duty to screen employees or applicants before hiring or to monitor or retain employee communications that is established under federal law, by a self-regulatory organization under the Securities Exchange Act of 1934, or in the course of a law enforcement employment application or law enforcement officer conduct investigation performed by a law enforcement agency.
Employers are also not prohibited or restricted from viewing, accessing, or using information about an employee or applicant that can be obtained without the username or password information described above or that is available in the public domain.
No duties created. According to the IEPA, it does not create a duty for employers to search or monitor the activity of personal Internet accounts. Additionally, employers are not liable under the law for failing to request or require that employees or applicants grant access to, allow observation of, or disclose information that allows access to or observation of, their personal Internet accounts.
Liability. An individual whose rights under the IEPA have been violated may bring a civil cause of action against his or her employer. If a court finds a violation of the law, it will award such an individual no more than $500.
Editor's note: This article was originally posted on 4/15/13.
Jessica Webb-Ayer, J.D., is an attorney editor for BLR’s human resources and employment law publications. She has written and edited countless publications on labor and employment law and is the editor of the Benefits Compliance Advisor online newsletter and the benefits manual, Benefits Compliance: Strategies for Plans, Programs & Policies. Ms. Webb-Ayer has also worked on various Americans with Disabilities Act (ADA) and workers’ compensation/safety products. She graduated summa cum laude with a B.A. in Psychology from Lipscomb University in Nashville, Tennessee, and graduated cum laude with a law degree from the University of Tennessee College of Law in Knoxville, Tennessee. Ms. Webb-Ayer is licensed to practice law in Tennessee.
Follow Jessica Webb-Ayer on Google+