S.2434-D (Klein) / A.443-D (Dinowitz)

STAFF CONTACT :

Director of Government Affairs
518.465.7511

BILL

S.2434-D (Klein) / A.443-D (Dinowitz)

SUBJECT

Disclosure of Employee Personal Account Credentials

DATE

Oppose

The Business Council and our members take employee privacy seriously and generally do not ask current or prospective employees for user names and passwords for personal social media or other personal electronic communications accounts. It is unfortunate if some employers routinely request that job applicants relinquish log-in credentials for personal social networking or other personal online accounts, or inappropriately engage in practices that might harm their current employees' privacy.

At the same time, none of these concerns apply to an employee's use of work accounts or work equipment provided by an employer. It is critical that employers be able to access these accounts as employers can be held legally responsible for employee actions using these accounts and devices, and because they are the employer's property.

Furthermore, it is essential that employers be able to investigate specific allegations of illegal activity or work-related misconduct by employees, including those involving an employee personal account. For example, if an employee is harassing another employee from a personal account, responsible employers need to be able to investigate the allegation for the good of their office. Also, when employees download confidential information – for example, business plans or sensitive personal information that could be used for identity theft – from work computers to a personal account, the employer needs to be able to investigate.

Unfortunately, this legislation could inadvertently hinder legitimate and appropriate investigations of employee theft, fraud, harassment or other serious crimes. Furthermore, collegial or customer harassment and abuse has real and dramatic impacts, and must be investigated and addressed to avoid harm to vulnerable employees and customers, and those efforts could be thwarted by these bills. These very well intentioned bills could be used as a pretext by employees to hide illegal conduct.

From a legal perspective, federal law already protects employees' privacy in this regard. The Stored Communications Privacy Act likely applies to this (very limited) employer practice, which prohibits unauthorized access to an electronic communication service. The US Department of Justice and Equal Employment Opportunity Commission are expected to issue determinations that requests for login information as a condition of employment violates federal law. As such, this bill is unnecessary.

The bill's definition of electronic communications device is way too broad. It would appear to cover company-issued telephones, PDAs and similar devices. The proposed language exempting access to "internal computer or information systems" is insufficient to cover these employer provided devices. Employees have no reasonable expectation of privacy in this regard.

Finally, to the extent employers might ever be prohibited from requesting job applicants' or employees' log-in credentials, employers should be exempt from any claim for negligent hiring for failing to make that prohibited request.
  
Recent media stories have heightened awareness of this issue and have generated proposed legislation in a number of states and at the national level. However, despite the media attention, we have seen no evidence that requesting usernames and passwords is a widespread, common, or any way typical practice by New York employers. Unfortunately, employee theft, fraud, and collegial/customer harassment and abuse are not uncommon, and to protect consumers and our co-workers, employers need to effectively respond to these issues.

As this bill would hamper those efforts, The Business Council respectfully opposes approval of this bill.