Bill Text: NY S02728 | 2019-2020 | General Assembly | Introduced


Bill Title: Relates to the "uniform employee and student online privacy protection act"; relates to the protection of employee and student online accounts.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced - Dead) 2020-01-08 - REFERRED TO LABOR [S02728 Detail]

Download: New_York-2019-S02728-Introduced.html


                STATE OF NEW YORK
        ________________________________________________________________________
                                          2728
                               2019-2020 Regular Sessions
                    IN SENATE
                                    January 29, 2019
                                       ___________
        Introduced  by  Sen. KRUEGER -- read twice and ordered printed, and when
          printed to be committed to the Committee on Labor
        AN ACT to amend the labor law, in relation to the "uniform employee  and
          student online privacy protection act"
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. This act shall be known and may be cited  as  the  "uniform
     2  employee and student online privacy protection act".
     3    §  2.  The  labor law is amended by adding a new article 33 to read as
     4  follows:
     5                                 ARTICLE 33
     6                        UNIFORM EMPLOYEE AND STUDENT
     7                        ONLINE PRIVACY PROTECTION ACT
     8  Section 950. Definitions.
     9          951. Protection of employee online accounts.
    10          952. Protection of student online accounts.
    11          953. Civil action.
    12          954. Uniformity of application and construction.
    13          955. Relation to electronic signatures in  global  and  national
    14                 commerce act.
    15    § 950. Definitions. As used in this article:
    16    1.  "content" means information, other than login information, that is
    17  contained in a protected personal  online  account,  accessible  to  the
    18  account holder, and not publicly available.
    19    2.  "educational institution" means a person that provides students at
    20  the postsecondary level an organized program of study or training  which
    21  is  academic,  technical,  trade-oriented,  or  preparatory  for gaining
    22  employment and for which the person  gives  academic  credit.  The  term
    23  includes  both  a  public or private institution and also applies to any
    24  agent or designee of the educational institution.
    25    3.  "electronic"  means  relating  to  technology  having  electrical,
    26  digital,  magnetic, wireless, optical, electromagnetic, or similar capa-
    27  bilities.
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD06196-01-9

        S. 2728                             2
     1    4. "employee" means an individual who provides services or labor to an
     2  employer in exchange for salary, wages, or the  equivalent  or,  for  an
     3  unpaid  intern,  academic  credit  or  occupational experience including
     4  independent contractors. The term includes a prospective employee who:
     5    (a) has expressed to the employer an interest in being an employee; or
     6    (b)  has  applied  to  or  is  applying for employment by, or is being
     7  recruited for employment by, the employer.
     8    5. "employer" means a person  that  provides  salary,  wages,  or  the
     9  equivalent  to  an employee in exchange for services or labor or engages
    10  the services or labor of an unpaid intern.  The term includes  an  agent
    11  or designee of the employer.
    12    6.  "login  information"  means a user name and password, password, or
    13  other means or credentials  of  authentication  required  to  access  or
    14  control  of a protected personal online account or an electronic device,
    15  which the employee's employer or the student's  educational  institution
    16  has  not supplied or paid for in full, that itself provides access to or
    17  control over the account.
    18    7. "login requirement" means a requirement that login  information  be
    19  provided  before  an online account or electronic device can be accessed
    20  or controlled.
    21    8. "online" means accessible by means of a  computer  network  or  the
    22  internet.
    23    9. "person" means an individual, estate, business or nonprofit entity,
    24  public  corporation,  government or governmental subdivision, agency, or
    25  instrumentality, or other legal entity.
    26    10.  "protected  personal  online  account"  means  an  employee's  or
    27  student's  online  account that is protected by a login requirement. The
    28  term does not include an online account or the part of an online account
    29  that is publicly available. The term also does  not  include  an  online
    30  account  or  the  part  of an online account that the employer or educa-
    31  tional institution has notified the employee or student might be subject
    32  to a request for login information or content, and which:
    33    (a) the employer or educational institution supplies or  pays  for  in
    34  full; or
    35    (b)  the  employee or student creates, maintains, or uses primarily on
    36  behalf of or under the direction of the employer or educational institu-
    37  tion in connection with  the  employee's  employment  or  the  student's
    38  education.
    39    11.  "record" means information that is inscribed on a tangible medium
    40  or that is stored in an electronic or other medium and is retrievable in
    41  perceivable form.
    42    12. "student" means an individual who participates in  an  educational
    43  institution's organized program of study or training. The term includes:
    44    (a) a prospective student who expresses to the institution an interest
    45  in  being  admitted  to, applies for admission to, or is being recruited
    46  for admission by, the educational institution; and
    47    (b) a parent or legal guardian of a student under the age of eighteen.
    48    § 951. Protection of employee online accounts.    1.  Subject  to  the
    49  exceptions in subdivision two of this section, an employer may not:
    50    (a) require, coerce, or request an employee to:
    51    (i)  disclose  the  login  information for a protected personal online
    52  account;
    53    (ii) disclose the content of the account, except that an employer  may
    54  request  an  employee to add the employer to, or not remove the employer
    55  from, the set of persons to which the  employee  grants  access  to  the
    56  content;

        S. 2728                             3
     1    (iii)  alter the settings of the online account in a manner that makes
     2  the login information for, or content of, the account more accessible to
     3  others; or
     4    (iv)  access  the  account in the presence of the employer in a manner
     5  that enables the employer  to  observe  the  login  information  for  or
     6  content of the account; or
     7    (b)  take, or threaten to take, adverse action against an employee for
     8  failure to comply with:
     9    (i) an employer requirement, coercive action, or request that violates
    10  paragraph (a) of this subdivision; or
    11    (ii) an employer request under subparagraph (ii) of paragraph  (a)  of
    12  this  subdivision  to  add  the  employer to, or not remove the employer
    13  from, the set of persons to which the  employee  grants  access  to  the
    14  content of a protected personal online account.
    15    2. Nothing in subdivision one shall prevent an employer from:
    16    (a)  accessing  information about an employee which is publicly avail-
    17  able;
    18    (b) complying with a federal or state law, court order, or rule  of  a
    19  self-regulatory  organization  established  by federal or state statute,
    20  including a self-regulatory organization defined in section 3(a)(26)  of
    21  the securities and exchange act of 1934, 15 U.S.C. § 78c(a)(26); or
    22    (c) requiring or requesting, based on specific facts about the employ-
    23  ee's  protected  personal  online account, access to the content of, but
    24  not the login information for, the account in order to:
    25    (i) ensure compliance, or investigate non-compliance, with federal  or
    26  state  law  or  an  employer  prohibition  against work-related employee
    27  misconduct of which the employee has reasonable notice, which  is  in  a
    28  record,  and  which  was  not  created  primarily  to  gain  access to a
    29  protected personal online account; or
    30    (ii) protect against a threat to safety, a threat to employer informa-
    31  tion technology or communications  technology  systems  or  to  employer
    32  property,  or  disclosure  of  information  in  which the employer has a
    33  proprietary interest or information the employer has a legal  obligation
    34  to keep confidential.
    35    3.  An employer that accesses employee content for a purpose specified
    36  in paragraph (c) of subdivision two of this section:
    37    (a) shall attempt reasonably to limit its access to  content  that  is
    38  relevant to the specified purpose;
    39    (b) shall use the content only for the specified purpose; and
    40    (c)  may  not alter the content unless necessary to achieve the speci-
    41  fied purpose.
    42    4. An employer that acquires the login information for  an  employee's
    43  protected personal online account by means of otherwise lawful technolo-
    44  gy  that  monitors the employer's network, or employer-provided devices,
    45  for a network security,  data  confidentiality,  or  system  maintenance
    46  purpose:
    47    (a)  may  not  use  the  login information to access or enable another
    48  person to access the account;
    49    (b) shall make a reasonable  effort  to  keep  the  login  information
    50  secure;
    51    (c)  unless  otherwise  provided in paragraph (d) of this subdivision,
    52  shall dispose of the login information as soon as, as securely  as,  and
    53  to the extent reasonably practicable; and
    54    (d) shall, if the employer retains the login information for use in an
    55  ongoing  investigation  of  an  actual  or suspected breach of computer,
    56  network, or data security, make a reasonable effort to  keep  the  login

        S. 2728                             4
     1  information  secure and dispose of it as soon as, as securely as, and to
     2  the extent reasonably practicable after completing the investigation.
     3    §  952.  Protection  of  student  online accounts.   1. Subject to the
     4  exceptions in subdivision two of this section, an  educational  institu-
     5  tion may not:
     6    (a) require, coerce, or request a student to:
     7    (i)  disclose  the  login  information for a protected personal online
     8  account;
     9    (ii) disclose the content of the account, except that  an  educational
    10  institution may request a student to add the educational institution to,
    11  or  not  remove  the educational institution from, the set of persons to
    12  which the student grants access to the content;
    13    (iii) alter the settings of the account in a  manner  that  makes  the
    14  login  information  for  or  content  of  the account more accessible to
    15  others; or
    16    (iv) access the account in the presence of the educational institution
    17  in a manner that enables the  educational  institution  to  observe  the
    18  login information for or content of the account; or
    19    (b)  take,  or  threaten to take, adverse action against a student for
    20  failure to comply with:
    21    (i)  an  educational  institution  requirement,  coercive  action,  or
    22  request, that violates paragraph (a) of this subdivision; or
    23    (ii)  an  educational  institution  request under subparagraph (ii) of
    24  paragraph (a) of this subdivision to add the educational institution to,
    25  or not remove the educational institution from, the set  of  persons  to
    26  which  the  student grants access to the content of a protected personal
    27  online account.
    28    2. nothing in subdivision one of this section shall prevent an  educa-
    29  tional institution from:
    30    (a) accessing information about a student that is publicly available;
    31    (b)  complying  with a federal or state law, court order, or rule of a
    32  self-regulatory organization established by federal or state statute; or
    33    (c) requiring  or  requesting,  based  on  specific  facts  about  the
    34  student's  protected  personal online account, access to the content of,
    35  but not the login information for, the account in order to:
    36    (i) ensure compliance, or investigate non-compliance, with federal  or
    37  state  law  or an educational institution prohibition against education-
    38  related student misconduct of which the student has  reasonable  notice,
    39  which is in a record, and which was not created primarily to gain access
    40  to a protected personal online account; or
    41    (ii)  protect  against  a  threat  to  safety, a threat to educational
    42  institution information technology or communications technology  systems
    43  or  to educational institution property, or disclosure of information in
    44  which the educational institution has a proprietary interest or informa-
    45  tion the educational institution has a legal obligation to  keep  confi-
    46  dential.
    47    3.  An  educational  institution  that  accesses student content for a
    48  purpose specified in paragraph (c) of subdivision two of this section:
    49    (a) shall attempt reasonably to limit its access to  content  that  is
    50  relevant to the specified purpose;
    51    (b) shall use the content only for the specified purpose; and
    52    (c)  may  not alter the content unless necessary to achieve the speci-
    53  fied purpose.
    54    4. An educational institution that acquires the login information  for
    55  a  student's  protected  personal  online  account by means of otherwise
    56  lawful technology that monitors the educational  institution's  network,

        S. 2728                             5
     1  or  educational  institution-provided  devices,  for a network security,
     2  data confidentiality, or system maintenance purpose:
     3    (a)  may  not  use  the  login information to access or enable another
     4  person to access the account;
     5    (b) shall make a reasonable  effort  to  keep  the  login  information
     6  secure;
     7    (c)  unless  otherwise  provided in paragraph (d) of this subdivision,
     8  shall dispose of the login information as soon as, as securely  as,  and
     9  to the extent reasonably practicable; and
    10    (d)  shall,  if the educational institution retains the login informa-
    11  tion for use in an ongoing  investigation  of  an  actual  or  suspected
    12  breach  of computer, network, or data security, make a reasonable effort
    13  to keep the login information secure and dispose of it as  soon  as,  as
    14  securely  as,  and to the extent reasonably practicable after completing
    15  the investigation.
    16    § 953. Civil action.  1. The attorney general may bring a civil action
    17  against an employer or educational institution for a violation  of  this
    18  article. A prevailing attorney general may obtain:
    19    (a) injunctive and other equitable relief; and
    20    (b)  a civil penalty of up to one thousand dollars for each violation,
    21  but not exceeding one hundred thousand dollars for all violations caused
    22  by the same event.
    23    2. An employee or student may bring a civil action against  the  indi-
    24  vidual's  employer  or  educational  institution for a violation of this
    25  article. A prevailing employee or student may obtain:
    26    (a) injunctive and other equitable relief;
    27    (b) actual damages; and
    28    (c) costs and reasonable attorney's fees.
    29    3. An action under subdivision one of this section does  not  preclude
    30  an  action  under  subdivision  two of this section, and an action under
    31  subdivision two of this section does not preclude an action under subdi-
    32  vision one of this section.
    33    4. This section does not affect a right or remedy available under  law
    34  other than this article.
    35    §  954.  Uniformity  of  application and construction. In applying and
    36  construing the sections of this article, consideration must be given  to
    37  the  need  to  promote uniformity of the law with respect to its subject
    38  matter among states that enact it.
    39    § 955. Relation  to  electronic  signatures  in  global  and  national
    40  commerce act. This article modifies, limits, or supersedes the electron-
    41  ic  signatures  in  global  and national commerce act, 15 U.S.C. section
    42  7001 et seq., but does not modify, limit, or supersede section 101(c) of
    43  that act, 15 U.S.C. section 7001(c), or authorize electronic delivery of
    44  any of the notices described in section 103(b) of that  act,  15  U.S.C.
    45  section 7003(b).
    46    §  3. Effect of invalidity; severability. If any section, subdivision,
    47  paragraph, sentence, clause, phrase or other portion of this act is, for
    48  any reason, declared unconstitutional or invalid, in whole or  in  part,
    49  by  any  court  of  competent jurisdiction, such portion shall be deemed
    50  severable, and such unconstitutionality or invalidity shall  not  affect
    51  the  validity  of  the  remaining  portions of this act, which remaining
    52  portions shall continue in full force and effect.
    53    § 4. This act shall take effect immediately.
feedback