Section 487G-4 - Protection of student online account(a) Subject to the exceptions in subsection (b), an educational institution shall not: (1) Require, coerce, or request a student to: (A) Disclose the login information for a protected personal online account;(B) Disclose the content of the account, except that, without coercion and pursuant to a clear statement that acceptance is voluntary and not required, an educational institution may request a student to add the educational institution to, or to not remove the educational institution from, the set of persons to which the student grants access to the content;(C) Alter the settings of the account in a manner that makes the login information for or content of the account more accessible to others;(D) Access the account in the presence of the educational institution in a manner that enables the educational institution to observe the login information for or content of the account; or(E) Turn over to the educational institution an unlocked personal technological device for purposes of gaining access to a personal online account; or(2) Take, or threaten to take, adverse action against a student for failure to comply with an educational institution's:(A) Requirement, coercive action, or request that violates paragraph (1); or(B) Request under paragraph (1)(B) to add the educational institution to, or to not remove the educational institution from, the set of persons to which the student grants access to the content of a protected personal online account.(b) Nothing in subsection (a) shall prevent an educational institution from: (1) Accessing information about a student that is publicly available;(2) Complying with a federal or state law, court order, or rule of a self-regulatory organization established by federal or state statute; or(3) Without requesting or requiring a student to provide login information for or other means of authentication that provides access to the student's protected personal online account, requesting or requiring a student to share specifically identified content for the purpose of: (A) Enabling an educational institution to comply with its own legal and regulatory obligations;(B) Investigating an allegation, based on specific facts regarding specifically identified content, of:(i) Noncompliance with an educational institution's prohibitions against education-related student misconduct of which the student has reasonable notice, is in a record, and was not created primarily to gain access to a protected personal online account; or(ii) The disclosure of any interest or information the educational institution has a legal obligation to keep confidential; and(C) Investigating threats to safety, including: (i) Unlawful harassment or threats of violence at the educational institution;(ii) Threats to the educational institution's information technology or communications technology systems; or(iii) Threats to the educational institution's property.(c) An educational institution with whom content is shared by a student for a purpose specified in subsection (b)(3) shall:(1) Not access or view unshared content;(2) Use the shared content only for the specified purpose; and(3) Not alter the shared content.(d) An educational institution that acquires the login information for a student's protected personal online account by means of otherwise lawful technology that monitors the educational institution's network, or educational institution-provided devices, for a network security, data confidentiality, or system maintenance purpose:(1) Shall not be held liable for violation of this chapter on the sole basis of having the login information;(2) Shall not use the login information to access or enable another person to access the account;(3) Shall make reasonable effort to keep the login information secure;(4) Shall not share the login information with any other person; and(5) Shall dispose of the login information as soon as, as securely as, and to the extent reasonably practicable; provided that if the educational institution is retaining the login information for use in: (A) An ongoing investigation of an actual or suspected breach of computer, network, or data security; or(B) A specific criminal complaint or civil action, or the investigation thereof, the educational institution shall make a reasonable effort to keep the login information secure and dispose of it as soon as, as securely as, and to the extent reasonably practicable after completion of the investigation, complaint, or action.Added by L 2021, c 39,§ 2, eff. 6/7/2021.