Bill Text: HI SB429 | 2018 | Regular Session | Amended
Bill Title: Relating To The Uniform Employee And Student Online Privacy Protection Act.
Spectrum: Partisan Bill (Democrat 7-0)
Status: (Engrossed - Dead) 2018-03-15 - Received notice of discharge of conferees (Hse. Com. No. 385). [SB429 Detail]
Download: Hawaii-2018-SB429-Amended.html
|
THE SENATE |
S.B. NO. |
429 |
|
TWENTY-NINTH LEGISLATURE, 2017 |
S.D. 2 |
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
RELATING TO THE UNIFORM EMPLOYEE AND STUDENT ONLINE PRIVACY PROTECTION ACT.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"Chapter
THE UNIFORM EMPLOYEE AND STUDENT ONLINE PRIVACY PROTECTION ACT
§ -1 Short title. This chapter may be cited as the uniform employee and student online privacy protection act.
§ -2 Definitions. As used in this chapter:
"Applicant" means an applicant for employment.
"Educational institution" means:
(1) A private or public school, institution, or school district, or any subdivision thereof, that offers participants, students, or trainees an organized course of study or training that is academic, trade-oriented, or preparatory for gainful employment;
(2) School employees and agents acting under the authority or on behalf of an educational institution; and
(3) Any state or local educational agency authorized to direct or control an entity described in paragraph (1) of this definition.
"Electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
"Employee" means an individual who provides services or labor to an employer in exchange for salary, wages, or other remuneration or compensation.
"Employer" means a person that provides salary, wages, or the equivalent to an employee in exchange for services or labor. The term includes an agent or designee of the employer acting under the authority or on behalf of an employer.
"Personal online account" means any online account maintained by an employee or student, including social media or electronic mail accounts, that is protected by a login requirement. The term does not include an account, or the discrete portion of an account, that was:
(1) Opened at an employer's behest, or provided by an employer and intended to be used solely or primarily on behalf of or under the direction of the employer; or
(2) Opened at an educational institution's behest, or provided by an educational institution and intended to be used solely or primarily on behalf of or under the direction of the educational institution.
"Prospective student" means an applicant for admission to an educational institution.
"Publicly available" means available to the general public.
"Specifically identified content" means data or information on a personal online account that is identified with sufficient particularity to:
(1) Demonstrate prior knowledge of the content's details; and
(2) Distinguish the content from other data or information on the account with which it may share similar characteristics.
"Student" means any full-time or part-time student, participant, or trainee who is enrolled in a class or any other organized course of study at an educational institution.
§ -3 Protection of employee or applicant online account. (a) Subject to the exceptions in subsection (b), an employer shall not:
(1) Require, coerce, or request an employee or applicant to:
(A) Disclose the user name and password, password, or any other means of authentication, or to provide access through the user name or password, to a personal online account;
(B) Disclose the non-public content of a personal online account;
(C) Provide password or authentication information to a personal technological device for the purpose of gaining access to a personal online account, or turn over an unlocked personal technological device for the purpose of gaining access to a personal online account;
(D) Alter the settings of the personal online account in a manner that makes the content of the personal online account more accessible to others; or
(E) Access the personal online account in the presence of the employer in a manner that enables the employer to observe the content of the account;
(2) Require or coerce an employee or applicant to add anyone, including the employer, to the employee's or applicant's list of contacts associated with a personal online account;
(3) Take, or threaten to take, adverse action against an employee or applicant for failure to comply with an employer requirement, coercive action, or request that violates paragraph (1); or
(4) Fail or refuse to admit any applicant as a result of the applicant's refusal to disclose any information or take any action specified in paragraph (1).
(b) Nothing in subsection (a) shall prevent an employer from:
(1) Accessing information about an employee or applicant that is publicly available;
(2) Complying with a federal or state law, court order, or rule of a self-regulatory organization established by federal or state statute, including a self-regulatory organization as defined in section 3(a)(26) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(26));
(3) Without requesting or requiring an employee or applicant to provide a user name and password, password, or other means of authentication that provides access to a personal online account, requiring or requesting an employee or applicant to provide specifically identified content that has been reported to the employer for the purpose of:
(A) Enabling the employer to comply with legal and regulatory obligations;
(B) Investigating an allegation, based on the receipt of information regarding specifically identified content, of the unauthorized transfer of an employer's proprietary or confidential information or financial data to an employee's or applicant's personal online account;
(C) Investigating an allegation, based on the receipt of information regarding specifically identified content, of unlawful harassment or threats of violence in the workplace; or
(D) Protecting against a threat to safety, employer information technology, communications technology systems, or employer property;
(4) Prohibiting an employee or applicant from using a personal online account for business purposes; or
(5) Prohibiting an employee or applicant from accessing or operating a personal online account during business hours or while on business property.
(c) An employer that accesses employee or applicant content for a purpose specified in subsection (b)(3):
(1) Shall attempt reasonably to limit its access to content that is relevant to the specified purpose;
(2) Shall use the content only for the specified purpose; and
(3) Shall not alter the content unless necessary to achieve the specified purpose.
(d) An employer that inadvertently receives the user name and password, password, or other means of authentication that provides access to an employee's or applicant's personal online account by means of otherwise lawful technology that monitors the employer's network, or employer-provided devices, for a network security, data confidentiality, or system maintenance purpose:
(1) Is not liable for having the information;
(2) Shall not use the information to access the personal online account of the employee or applicant or share the information with any other person or entity;
(3) Shall make a reasonable effort to keep the login information secure;
(4) Unless otherwise provided in paragraph (5), shall dispose of the information as soon as, as securely as, and to the extent reasonably practicable; and
(5) Shall, if the employer retains the information for use in connection with the pursuit of a specific criminal complaint or civil action, or the investigation thereof, make a reasonable effort to keep the login information secure and dispose of it as soon as, as securely as, and to the extent reasonably practicable after completing the investigation.
(e) Nothing in this chapter shall diminish the authority and obligation of an employer to investigate complaints, allegations, or the occurrence of sexual, racial, or other prohibited harassment under chapter 378.
§ -4 Protection of student or prospective student online account. (a) Subject to the exceptions in subsection (b), an educational institution shall not:
(1) Require, coerce, or request a student or prospective student to:
(A) Disclose the user name and password, password, or any other means of authentication, or to provide access through the user name or password, to a personal online account;
(B) Disclose the non-public content of a personal online account;
(C) Provide password or authentication information to a personal technological device for the purpose of gaining access to a personal online account, or turn over an unlocked personal technological device for the purpose of gaining access to a personal online account;
(D) Alter the settings of the personal online account in a manner that makes the content of the personal online account more accessible to others; or
(E) Access the personal online account in the presence of the educational institution employee or educational institution volunteer, including a coach, teacher, or school administrator, in a manner that enables the educational institution employee or educational institution volunteer to observe the content of the account;
(2) Require or coerce a student or prospective student to add anyone, including a coach, teacher, school administrator, or other educational institution employee or educational institution volunteer, to the student's or prospective student's list of contacts associated with a personal online account;
(3) Take, or threaten to take, adverse action against a student or prospective student, including discharge, discipline, prohibition from participation in curricular or extracurricular activities, for failure to comply with an educational institution requirement, coercive action, or request that violates paragraph (1);
(4) Fail or refuse to admit any prospective student as a result of the prospective student's refusal to disclose any information or take any action specified in paragraph (1).
(b) Nothing in subsection (a) shall prevent an educational institution from:
(1) Accessing information about a student or prospective student that is publicly available;
(2) Complying with a federal or state law, court order, or rule of a self-regulatory organization established by federal or state statute, including a self-regulatory organization as defined in section 3(a)(26) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(26));
(3) Without requesting or requiring a student or prospective student to provide a user name and password, password, or other means of authentication that provides access to a personal online account, requiring or requesting a student or prospective student to provide specifically identified content that has been reported to the educational institution for the purpose of:
(A) Enabling the educational institution to comply with legal and regulatory obligations;
(B) Investigating an allegation, based on the receipt of information regarding specifically identified content, of the unauthorized transfer of an educational institution's proprietary or confidential information or financial data to a student's or prospective student's personal online account;
(C) Investigating an allegation, based on the receipt of information regarding specifically identified content, of noncompliance with an educational institution prohibition against education-related student misconduct of which the student has reasonable notice, which is in a record, and that was not created primarily to gain access to a personal online account; or
(D) Protecting against a threat to safety, educational institution information technology, communications technology systems, or educational institution property;
(4) Prohibiting a student or prospective student from using a personal online account for educational institution purposes; or
(5) Prohibiting a student or prospective student from accessing or operating a personal online account during school hours or while on school property.
(c) An educational institution that accesses student or prospective student content for a purpose specified in subsection (b)(3):
(1) Shall attempt reasonably to limit its access to content that is relevant to the specified purpose;
(2) Shall use the content only for the specified purpose; and
(3) Shall not alter the content unless necessary to achieve the specified purpose.
(d) An educational institution that inadvertently receives the user name and password, password, or other means of authentication that provides access to a student's or prospective student's personal online account by means of otherwise lawful technology that monitors the educational institution's network, or educational institution-provided devices, for a network security, data confidentiality, or system maintenance purpose:
(1) Is not liable for having the information;
(2) Shall not use the information to access the personal online account of the student or prospective student or share the information with any other person or entity;
(3) Shall make a reasonable effort to keep the information secure;
(4) Unless otherwise provided in paragraph (5), shall dispose of the information as soon as, as securely as, and to the extent reasonably practicable; and
(5) Shall, if the educational institution retains the information for use in connection with the pursuit of a specific criminal complaint or civil action, or the investigation thereof, make a reasonable effort to keep the information secure and dispose of it as soon as, as securely as, and to the extent reasonably practicable after completing the investigation.
§ -5 Enforcement. (a) The attorney general may bring a civil action in district court against an employer or educational institution for a violation of this chapter. A prevailing attorney general may obtain:
(1) Injunctive and other equitable relief; and
(2) A civil penalty of up to $1,000 for each violation, but not exceeding $100,000 for all violations caused by the same event.
(b) An employee, applicant, student, or prospective student may bring a civil action in district court against the individual's employer or educational institution for a violation of this chapter. A prevailing employee, applicant, student, or prospective student may obtain:
(1) Injunctive and other equitable relief;
(2) Actual damages; and
(3) Costs and reasonable attorney's fees.
(c) An employee or agent of an educational institution who violates this Act may be subject to disciplinary proceedings and punishment. For educational institution employees who are represented under the terms of a collective bargaining agreement, the collective bargaining agreement, any memorandum of agreement or understanding signed pursuant to the collective bargaining agreement, or any recognized and established practice relative to the members of the bargaining unit shall prevail except where the agreement, memorandum, or practice does not conflict with this chapter.
(d) An action under subsection (a) shall not preclude an action under subsection (b), and an action under subsection (b) shall not preclude an action under subsection (a).
(e) This chapter shall not affect a right or remedy available under law other than this chapter.
§ -6 Uniformity of application and construction. In applying and construing this chapter, consideration shall be given to the need to promote uniformity of the law with respect to its subject matter among states that enact it.
§ -7 Relation to Electronic Signatures in Global and National Commerce Act. This chapter modifies, limits, and supersedes the Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001 et seq.), but does not modify, limit, or supersede section 101(c) of that act (15 U.S.C. 7001(c)), or authorize electronic delivery of any of the notices described in Section 103(b) of that act (15 U.S.C. 7003(b)).
§ -8 Relation to other state laws. Unless otherwise provided in this chapter, if any provision in this chapter conflicts with a provision in any other chapter, the provision in this chapter shall control.
§ -9 Severability. If any provision of this chapter or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this chapter which can be given effect without the invalid provision or application, and to this end the provisions of this chapter are severable."
SECTION 2. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 3. This Act shall take effect on January 7, 2059.
Report Title:
Online Privacy; Employees; Applicants; Students; Prospective Students
Description:
Adopts uniform laws on protecting the online accounts of employees, applicants, students, and prospective students from employers and educational institutions, respectively. Takes effect 1/7/2059. (SD2)
The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.
