A BILL FOR AN ACT

RELATING TO ONLINE ACCOUNT PRIVACY.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

     SECTION 1.  The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"CHAPTER

PERSONAL ONLINE ACCOUNT PRIVACY ACT

     §   -1  Short title.  This chapter may be cited as the Personal Online Account Privacy Act.

     §   -2  Definitions.  As used in this chapter,

     "Applicant" means an applicant for employment.

     "Educational institution" means:

     (1)  A private or public school, institution, or any subdivision thereof, that offers participants, students, or trainees an organized course of study or training that is academic, trade-oriented, or preparatory for gainful employment, as well as school employees and agents acting under the authority or on behalf of an educational institution; or

     (2)  A state educational agency authorized to direct or control an entity in paragraph (1).

     "Employee" means an individual who provides services or labor to an employer in return for wages or other remuneration or compensation.

     "Employer" means a person who is acting directly as an employer, or acting under the authority or on behalf of an employer, in relation to an employee.

     "Personal online account" means any online account maintained by an employee, applicant, student, or prospective student, including but not limited to a social media or email account, that is protected by a login requirement.  "Personal online account" does not include an account, or a discrete portion of an account, that was either:

     (1)  Opened at an employer's behest, or provided by an employer and intended to be used solely or primarily on behalf of or under the direction of the employer; or

     (2)  Opened at a school's behest, or provided by a school and intended to be used solely or primarily on behalf of or under the direction of the school.

     "Prospective student" means an applicant for admission to an educational institution.

     "Specifically identified content" means data or information stored in a personal online account that is identified with sufficient particularity to distinguish the discrete, individual piece of content being sought from any other data or information stored in the account with which it may share similar characteristics.

     §   -3  Employers.  An employer shall not:

     (1)  Require, request, or coerce an employee or applicant to:

          (A)  Disclose the user name, password, or any other means of authentication, or to provide access through the user name or password, to a personal online account;

          (B)  Disclose the non-public contents of a personal online account;

          (C)  Provide password or authentication information to a personal technological device for purposes of gaining access to a personal online account, or to turn over an unlocked personal technological device for purposes of gaining access to a personal online account;

          (D)  Access a personal online account in the presence of the employer in a manner that enables the employer to observe the contents of the account; or

          (E)  Change the account settings of a personal online account so as to increase third party access to its contents;

     (2)  Require or coerce an employee or applicant to add anyone, including the employer, to their list of contacts associated with a personal online account;

     (3)  Take any action or threaten to take any action to discharge, discipline, or otherwise penalize an employee in response to an employee's refusal to disclose any information or take any action specified in paragraphs (1) or (2); or

     (4)  Fail or refuse to hire any applicant as a result of an applicant's refusal to disclose any information or take any action specified in paragraphs (1) or (2).

     §   -4  Educational institutions.  An educational institution shall not:

     (1)  Require, request, or coerce a student or prospective student to:

          (A)  Disclose the user name, password, or any other means of authentication, or provide access through the user name or password, to a personal online account;

          (B)  Disclose the non-public contents of a personal online account;

          (C)  Provide password or authentication information to a personal technological device for purposes of gaining access to a personal online account, or to turn over an unlocked personal technological device for purposes of gaining access to a personal online account;

          (D)  Access a personal online account in the presence of an educational institution employee or educational institution volunteer, including but not limited to a coach, teacher, or school administer, in a manner that enables the educational institution employee or educational institution volunteer to observe the contents of the account; or

          (E)  Change the account settings of a personal online account so as to increase third party access to its contents;

     (2)  Require or coerce a student or prospective student to add anyone, including a coach, teacher, school administrator, or other educational institution employee or educational institution volunteer, to their list of contacts associated with a personal online account;

     (3)  Take any action or threaten to take any action to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a student in response to a student's refusal to disclose any information or take any action specified in paragraphs (1) or (2); or

     (4)  Fail or refuse to admit any prospective student as a result of the prospective student's refusal to disclose any information or take any action specified in paragraphs (1) or (2).

     §   -5  Limitations.  Nothing in this chapter shall prevent an employer or educational institution from:

     (1)  Accessing information about an applicant, employee, student, or prospective student, that is publicly available;

     (2)  Complying with state and federal laws, rules, and regulations, and the rules of self-regulatory organizations as defined in section 3(a)(26) of the Securities and Exchange Act of 1934, 15 U.S.C. 78c(a)(26), or other statute governing self-regulatory organizations;

     (3)  For an employer, without requesting or requiring an employee or applicant to provide a user name, password, or other means of authentication that provides access to a personal online account, requesting or requiring an employee or applicant to share specifically identified content that has been reported to the employer for the purpose of:

          (A)  Enabling an employer to comply with its own legal and regulatory obligations;

          (B)  Investigating an allegation, based on the receipt of information regarding specifically identified content, of the unauthorized transfer of an employer's proprietary or confidential information or financial data to an employee or applicant's personal online account; or

          (C)  Investigating an allegation, based on the receipt of information regarding specifically identified content, of unlawful harassment or threats of violence in the workplace;

     (4)  For an educational institution, without requesting or requiring a student or prospective student to provide a user name, password, or other means of authentication that provides access to a personal online account, requesting or requiring a student or prospective student to share specifically identified content that has been reported to the educational institution for the purpose of complying with its own legal obligations, subject to all legal and constitutional protections that are applicable to the student or prospective student;

     (5)  Prohibiting an employee, applicant, student, or prospective student from using a personal online account for business or educational institution purposes; or

     (6)  Prohibiting an employee, applicant, student, or prospective student from accessing or operating a personal online account during business or school hours or while on business or school property.

     §   -6  Inadvertent receipt of password.  If an employer or educational institution inadvertently receives the user name, password, or other means of authentication that provides access to a personal online account of an employee, applicant, student, or prospective student through the use of an otherwise lawful technology that monitors the employer's or educational institution's network or employer-provided or educational institution-provided devices for network security or data confidentiality purposes, the employer or educational institution:

     (1)  Is not liable for having the information;

     (2)  Shall not use the information to access the personal online account of the employee, applicant, student, or prospective student;

     (3)  Shall not share the information with any other person or entity; and

     (4)  Shall delete the information as soon as is reasonably practicable, unless the information is being retained by the employer or educational institution in connection with the pursuit of a specific criminal complaint or civil action, or the investigation thereof.

     §   -7  Enforcement.  (a)  Any employer or educational institution, including its employee or agents, who violates this chapter shall be subject to legal action for damages or equitable relief, to be brought by any person claiming a violation of this chapter has injured the person or the person's reputation.  A person so injured shall be entitled to actual damages, including mental pain and suffering endured on account of violation of the provisions of this chapter, and reasonable attorneys' fees and other costs of litigation.

     (b)  Any employee or agent of an educational institution who violates this chapter shall be subject to disciplinary proceedings and punishment.  For educational institution employees who are represented under the terms of a collective bargaining agreement, this chapter prevails except where it conflicts with the collective bargaining agreement, any memorandum of agreement or understanding signed pursuant to the collective bargaining agreement, or any recognized and established practice relative to the members of the bargaining unit.

     §   -8  Admissibility.  Except as proof of a violation of this chapter, no data obtained, accessed, used, copied, disclosed, or retained in violation of this chapter, nor any evidence derived therefrom, shall be admissible in any criminal, civil, administrative, or other proceeding."

     SECTION 2.  This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.

     SECTION 3.  If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.

     SECTION 4.  This Act shall take effect on January 1, 3000.

Report Title:

Personal Online Account; Privacy; Employees; Students

Description:

Prohibits employers and educational institutions from requiring employees, applicants, students, and prospective students to provide protected personal online account information.  Authorizes private civil actions against violators.  Takes effect on 1/1/3000.  (SD1)

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.