Bill Text: NY S00943 | 2021-2022 | General Assembly | Introduced
Bill Title: Relates to the "uniform employee and student online privacy protection act"; relates to the protection of employee and student online accounts.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2022-01-05 - REFERRED TO LABOR [S00943 Detail]
Download: New_York-2021-S00943-Introduced.html
STATE OF NEW YORK ________________________________________________________________________ 943 2021-2022 Regular Sessions IN SENATE (Prefiled) January 6, 2021 ___________ Introduced by Sen. KRUEGER -- read twice and ordered printed, and when printed to be committed to the Committee on Labor AN ACT to amend the labor law, in relation to the "uniform employee and student online privacy protection act" The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. This act shall be known and may be cited as the "uniform 2 employee and student online privacy protection act". 3 § 2. The labor law is amended by adding a new article 34 to read as 4 follows: 5 ARTICLE 34 6 UNIFORM EMPLOYEE AND STUDENT 7 ONLINE PRIVACY PROTECTION ACT 8 Section 965. Definitions. 9 966. Protection of employee online accounts. 10 967. Protection of student online accounts. 11 968. Civil action. 12 969. Uniformity of application and construction. 13 970. Relation to electronic signatures in global and national 14 commerce act. 15 § 965. Definitions. As used in this article: 16 1. "content" means information, other than login information, that is 17 contained in a protected personal online account, accessible to the 18 account holder, and not publicly available. 19 2. "educational institution" means a person that provides students at 20 the postsecondary level an organized program of study or training which 21 is academic, technical, trade-oriented, or preparatory for gaining 22 employment and for which the person gives academic credit. The term 23 includes both a public or private institution and also applies to any 24 agent or designee of the educational institution. 25 3. "electronic" means relating to technology having electrical, 26 digital, magnetic, wireless, optical, electromagnetic, or similar capa- 27 bilities. EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD04971-01-1S. 943 2 1 4. "employee" means an individual who provides services or labor to an 2 employer in exchange for salary, wages, or the equivalent or, for an 3 unpaid intern, academic credit or occupational experience including 4 independent contractors. The term includes a prospective employee who: 5 (a) has expressed to the employer an interest in being an employee; or 6 (b) has applied to or is applying for employment by, or is being 7 recruited for employment by, the employer. 8 5. "employer" means a person that provides salary, wages, or the 9 equivalent to an employee in exchange for services or labor or engages 10 the services or labor of an unpaid intern. The term includes an agent 11 or designee of the employer. 12 6. "login information" means a user name and password, password, or 13 other means or credentials of authentication required to access or 14 control of a protected personal online account or an electronic device, 15 which the employee's employer or the student's educational institution 16 has not supplied or paid for in full, that itself provides access to or 17 control over the account. 18 7. "login requirement" means a requirement that login information be 19 provided before an online account or electronic device can be accessed 20 or controlled. 21 8. "online" means accessible by means of a computer network or the 22 internet. 23 9. "person" means an individual, estate, business or nonprofit entity, 24 public corporation, government or governmental subdivision, agency, or 25 instrumentality, or other legal entity. 26 10. "protected personal online account" means an employee's or 27 student's online account that is protected by a login requirement. The 28 term does not include an online account or the part of an online account 29 that is publicly available. The term also does not include an online 30 account or the part of an online account that the employer or educa- 31 tional institution has notified the employee or student might be subject 32 to a request for login information or content, and which: 33 (a) the employer or educational institution supplies or pays for in 34 full; or 35 (b) the employee or student creates, maintains, or uses primarily on 36 behalf of or under the direction of the employer or educational institu- 37 tion in connection with the employee's employment or the student's 38 education. 39 11. "record" means information that is inscribed on a tangible medium 40 or that is stored in an electronic or other medium and is retrievable in 41 perceivable form. 42 12. "student" means an individual who participates in an educational 43 institution's organized program of study or training. The term includes: 44 (a) a prospective student who expresses to the institution an interest 45 in being admitted to, applies for admission to, or is being recruited 46 for admission by, the educational institution; and 47 (b) a parent or legal guardian of a student under the age of eighteen. 48 § 966. Protection of employee online accounts. 1. Subject to the 49 exceptions in subdivision two of this section, an employer may not: 50 (a) require, coerce, or request an employee to: 51 (i) disclose the login information for a protected personal online 52 account; 53 (ii) disclose the content of the account, except that an employer may 54 request an employee to add the employer to, or not remove the employer 55 from, the set of persons to which the employee grants access to the 56 content;S. 943 3 1 (iii) alter the settings of the online account in a manner that makes 2 the login information for, or content of, the account more accessible to 3 others; or 4 (iv) access the account in the presence of the employer in a manner 5 that enables the employer to observe the login information for or 6 content of the account; or 7 (b) take, or threaten to take, adverse action against an employee for 8 failure to comply with: 9 (i) an employer requirement, coercive action, or request that violates 10 paragraph (a) of this subdivision; or 11 (ii) an employer request under subparagraph (ii) of paragraph (a) of 12 this subdivision to add the employer to, or not remove the employer 13 from, the set of persons to which the employee grants access to the 14 content of a protected personal online account. 15 2. Nothing in subdivision one shall prevent an employer from: 16 (a) accessing information about an employee which is publicly avail- 17 able; 18 (b) complying with a federal or state law, court order, or rule of a 19 self-regulatory organization established by federal or state statute, 20 including a self-regulatory organization defined in section 3(a)(26) of 21 the securities and exchange act of 1934, 15 U.S.C. § 78c(a)(26); or 22 (c) requiring or requesting, based on specific facts about the employ- 23 ee's protected personal online account, access to the content of, but 24 not the login information for, the account in order to: 25 (i) ensure compliance, or investigate non-compliance, with federal or 26 state law or an employer prohibition against work-related employee 27 misconduct of which the employee has reasonable notice, which is in a 28 record, and which was not created primarily to gain access to a 29 protected personal online account; or 30 (ii) protect against a threat to safety, a threat to employer informa- 31 tion technology or communications technology systems or to employer 32 property, or disclosure of information in which the employer has a 33 proprietary interest or information the employer has a legal obligation 34 to keep confidential. 35 3. An employer that accesses employee content for a purpose specified 36 in paragraph (c) of subdivision two of this section: 37 (a) shall attempt reasonably to limit its access to content that is 38 relevant to the specified purpose; 39 (b) shall use the content only for the specified purpose; and 40 (c) may not alter the content unless necessary to achieve the speci- 41 fied purpose. 42 4. An employer that acquires the login information for an employee's 43 protected personal online account by means of otherwise lawful technolo- 44 gy that monitors the employer's network, or employer-provided devices, 45 for a network security, data confidentiality, or system maintenance 46 purpose: 47 (a) may not use the login information to access or enable another 48 person to access the account; 49 (b) shall make a reasonable effort to keep the login information 50 secure; 51 (c) unless otherwise provided in paragraph (d) of this subdivision, 52 shall dispose of the login information as soon as, as securely as, and 53 to the extent reasonably practicable; and 54 (d) shall, if the employer retains the login information for use in an 55 ongoing investigation of an actual or suspected breach of computer, 56 network, or data security, make a reasonable effort to keep the loginS. 943 4 1 information secure and dispose of it as soon as, as securely as, and to 2 the extent reasonably practicable after completing the investigation. 3 § 967. Protection of student online accounts. 1. Subject to the 4 exceptions in subdivision two of this section, an educational institu- 5 tion may not: 6 (a) require, coerce, or request a student to: 7 (i) disclose the login information for a protected personal online 8 account; 9 (ii) disclose the content of the account, except that an educational 10 institution may request a student to add the educational institution to, 11 or not remove the educational institution from, the set of persons to 12 which the student grants access to the content; 13 (iii) alter the settings of the account in a manner that makes the 14 login information for or content of the account more accessible to 15 others; or 16 (iv) access the account in the presence of the educational institution 17 in a manner that enables the educational institution to observe the 18 login information for or content of the account; or 19 (b) take, or threaten to take, adverse action against a student for 20 failure to comply with: 21 (i) an educational institution requirement, coercive action, or 22 request, that violates paragraph (a) of this subdivision; or 23 (ii) an educational institution request under subparagraph (ii) of 24 paragraph (a) of this subdivision to add the educational institution to, 25 or not remove the educational institution from, the set of persons to 26 which the student grants access to the content of a protected personal 27 online account. 28 2. nothing in subdivision one of this section shall prevent an educa- 29 tional institution from: 30 (a) accessing information about a student that is publicly available; 31 (b) complying with a federal or state law, court order, or rule of a 32 self-regulatory organization established by federal or state statute; or 33 (c) requiring or requesting, based on specific facts about the 34 student's protected personal online account, access to the content of, 35 but not the login information for, the account in order to: 36 (i) ensure compliance, or investigate non-compliance, with federal or 37 state law or an educational institution prohibition against education- 38 related student misconduct of which the student has reasonable notice, 39 which is in a record, and which was not created primarily to gain access 40 to a protected personal online account; or 41 (ii) protect against a threat to safety, a threat to educational 42 institution information technology or communications technology systems 43 or to educational institution property, or disclosure of information in 44 which the educational institution has a proprietary interest or informa- 45 tion the educational institution has a legal obligation to keep confi- 46 dential. 47 3. An educational institution that accesses student content for a 48 purpose specified in paragraph (c) of subdivision two of this section: 49 (a) shall attempt reasonably to limit its access to content that is 50 relevant to the specified purpose; 51 (b) shall use the content only for the specified purpose; and 52 (c) may not alter the content unless necessary to achieve the speci- 53 fied purpose. 54 4. An educational institution that acquires the login information for 55 a student's protected personal online account by means of otherwise 56 lawful technology that monitors the educational institution's network,S. 943 5 1 or educational institution-provided devices, for a network security, 2 data confidentiality, or system maintenance purpose: 3 (a) may not use the login information to access or enable another 4 person to access the account; 5 (b) shall make a reasonable effort to keep the login information 6 secure; 7 (c) unless otherwise provided in paragraph (d) of this subdivision, 8 shall dispose of the login information as soon as, as securely as, and 9 to the extent reasonably practicable; and 10 (d) shall, if the educational institution retains the login informa- 11 tion for use in an ongoing investigation of an actual or suspected 12 breach of computer, network, or data security, make a reasonable effort 13 to keep the login information secure and dispose of it as soon as, as 14 securely as, and to the extent reasonably practicable after completing 15 the investigation. 16 § 968. Civil action. 1. The attorney general may bring a civil action 17 against an employer or educational institution for a violation of this 18 article. A prevailing attorney general may obtain: 19 (a) injunctive and other equitable relief; and 20 (b) a civil penalty of up to one thousand dollars for each violation, 21 but not exceeding one hundred thousand dollars for all violations caused 22 by the same event. 23 2. An employee or student may bring a civil action against the indi- 24 vidual's employer or educational institution for a violation of this 25 article. A prevailing employee or student may obtain: 26 (a) injunctive and other equitable relief; 27 (b) actual damages; and 28 (c) costs and reasonable attorney's fees. 29 3. An action under subdivision one of this section does not preclude 30 an action under subdivision two of this section, and an action under 31 subdivision two of this section does not preclude an action under subdi- 32 vision one of this section. 33 4. This section does not affect a right or remedy available under law 34 other than this article. 35 § 969. Uniformity of application and construction. In applying and 36 construing the sections of this article, consideration must be given to 37 the need to promote uniformity of the law with respect to its subject 38 matter among states that enact it. 39 § 970. Relation to electronic signatures in global and national 40 commerce act. This article modifies, limits, or supersedes the electron- 41 ic signatures in global and national commerce act, 15 U.S.C. section 42 7001 et seq., but does not modify, limit, or supersede section 101(c) of 43 that act, 15 U.S.C. section 7001(c), or authorize electronic delivery of 44 any of the notices described in section 103(b) of that act, 15 U.S.C. 45 section 7003(b). 46 § 3. Effect of invalidity; severability. If any section, subdivision, 47 paragraph, sentence, clause, phrase or other portion of this act is, for 48 any reason, declared unconstitutional or invalid, in whole or in part, 49 by any court of competent jurisdiction, such portion shall be deemed 50 severable, and such unconstitutionality or invalidity shall not affect 51 the validity of the remaining portions of this act, which remaining 52 portions shall continue in full force and effect. 53 § 4. This act shall take effect immediately.
