Section 487G-3 - Protection of employee online account(a) Subject to the exceptions in subsection (b), an employer shall not: (1) Require, coerce, or request an employee to: (A) Disclose the login information for a protected personal online account;(B) Disclose the content of the account, except that, without coercion and pursuant to a clear statement that acceptance is voluntary and not required, an employer may request an employee to add the employer to, or to not remove the employer from, the set of persons to which the employee grants access to the content;(C) Alter the settings of the account in a manner that makes the login information for or content of the account more accessible to others;(D) Access the account in the presence of the employer in a manner that enables the employer to observe the login information for or content of the account; or(E) Turn over to the employer an unlocked personal technological device for purposes of gaining access to a protected personal online account; or(2) Take, or threaten to take, adverse action against an employee for failure to comply with an employer's: (A) Requirement, coercive action, or request that violates paragraph (1); or(B) Request under paragraph (1)(B) to add the employer to, or to not remove the employer from, the set of persons to which the employee grants access to the content of a protected personal online account.(b) Nothing in subsection (a) shall prevent an employer from:(1) Accessing information about an employee that is publicly available;(2) Complying with a federal or state law, court order, or rule of a self-regulatory organization established by federal or state statute, including a self-regulatory organization as defined in section 3(a)(26) of the Securities Exchange Act of 1934, title 15 United States Code section 78c(a)(26);(3) Implementing and enforcing a policy pertaining to the use of an employer-issued electronic communications device or the use of an employee-owned electronic communications device that will be used for business purposes; or(4) Without requesting or requiring an employee to provide login information for or other means of authentication that provides access to the employee's protected personal online account, requesting or requiring an employee to share specifically identified content for the purpose of: (A) Enabling an employer to comply with its own legal and regulatory obligations;(B) Investigating an allegation, based on specific facts regarding specifically identified content, of: (i) Noncompliance with an employer prohibition against work-related employee misconduct of which the employee has reasonable notice, is in a record, and was not created primarily to gain access to a protected personal online account; or(ii) The disclosure of information in which the employer has a proprietary interest or information the employer has a legal obligation to keep confidential; and(C) Investigating threats to safety, including: (i) Unlawful harassment or threats of violence in the workplace;(ii) Threats to employer information technology or communications technology systems; or(iii) Threats to employer property.(c) An employer with whom content is shared by an employee for a purpose specified in subsection (b)(4) shall: (1) Not access or view unshared content;(2) Use the shared content only for the specified purpose; and(3) Not alter the shared content.(d) An employer that acquires the login information for an employee's protected personal online account by means of otherwise lawful technology that monitors the employer's network, or employer-provided devices, for a network security, data confidentiality, or system maintenance purpose:(1) Shall not be held liable for violation of this chapter on the sole basis of having the login information;(2) Shall not use the login information to access or enable another person to access the account;(3) Shall make reasonable effort to keep the login information secure;(4) Shall not share the login information with any other person; and(5) Shall dispose of the login information as soon as, as securely as, and to the extent reasonably practicable; provided that if the employer is retaining the login information for use in:(A) An ongoing investigation of an actual or suspected breach of computer, network, or data security; or(B) A specific criminal complaint or civil action, or the investigation thereof, the employer shall make a reasonable effort to keep the login information secure and dispose of it as soon as, as securely as, and to the extent reasonably practicable after completion of the investigation, complaint, or action.(e) Nothing in subsection (a) shall be construed to diminish the authority or obligation of an employer to investigate complaints, allegations, or the occurrence of prohibited discriminatory practices, including harassment, based on race, sex, or other characteristics protected under part I of chapter 378.Added by L 2021, c 39,§ 2, eff. 6/7/2021.