|
HOUSE OF REPRESENTATIVES |
H.B. NO. |
794 |
|
THIRTY-FIRST LEGISLATURE, 2021 |
|
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
relating to online account privacy.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"CHAPTER
PERSONAL
ONLINE ACCOUNT PRIVACY ACT
§ -1 Short title. This chapter may be cited as the Personal Online Account Privacy Act.
§ -2 Definitions. As used in this chapter,
"Educational institution" means:
(1) A private or public school, institution, or any subdivision thereof, that offers students an organized course of study or training that is academic, trade‑oriented, or preparatory for gainful employment, as well as school employees and agents acting under the authority or on behalf of an educational institution; or
(2) A state educational agency authorized to direct or control an entity in paragraph (1).
"Employee" means an individual who provides services or labor to an employer in exchange for salary, wages, or the equivalent or, for an unpaid intern, academic credit or occupational experience. "Employee" includes:
(1) A prospective employee who has:
(A) Expressed to the employer an interest in being an employee; or
(B) Applied for or is applying for employment by, or is being recruited for employment by, the employer; and
(2) An independent contractor.
"Employer" means a person that provides salary, wages, or the equivalent to an employee in exchange for services or labor or engages the services or labor of an unpaid intern. "Employer" includes an agent or designee of the employer.
"One-to-one program" means any program authorized by an employer or educational institution where a technological device is provided to an employee or a student by or through an employer or educational institution, respectively, for overnight or at-home use.
"Personal online account" means any online account maintained by an employee or student, including but not limited to a social media or electronic mail account, that is protected by a login requirement. "Personal online account" does not include an account, or a discrete portion of an account, that was either:
(1) Opened at an employer's behest, or provided by an employer and intended to be used solely or primarily on behalf of or under the direction of the employer; or
(2) Opened at an educational institution's behest, or provided by an educational institution and intended to be used solely or primarily on behalf of or under the direction of the educational institution.
"Personal technological device" means a technological device owned, leased, or otherwise lawfully possessed by an employee or a student that was not provided pursuant to a one‑to-one program.
"Student" means an individual who participates in an educational institution's organized program of study or training. "Student" includes:
(1) A prospective student who expresses to the educational institution an interest in being admitted to, applies for admission to, or is being recruited for admission by, the educational institution; and
(2) A parent or legal guardian of a student under the age of majority.
"Specifically identified content" means data or information stored in a personal online account that is identified with sufficient particularity to distinguish the discrete, individual piece of content being sought from any other data or information stored in the personal online account with which it may share similar characteristics.
"Technological device" means any computer, cellular phone, smartphone, digital camera, video camera, audio recording device, or other electronic device that can be used for creating, storing, or transmitting information in the form of electronic data.
§ -3 Employers. An employer shall not:
(1) Require, request, or coerce an employee to:
(A) Disclose the username, password, or any other means of authentication, or provide access through the username or password, to a personal online account;
(B) Disclose the non-public contents of a personal online account;
(C) Provide password or authentication information to a personal technological device for purposes of gaining access to a personal online account, or turn over an unlocked personal technological device for purposes of gaining access to a personal online account;
(D) Access a personal online account in the presence of the employer in a manner that enables the employer to observe the contents of the account; or
(E) Change the account settings of a personal online account so as to increase third party access to its contents;
(2) Require or coerce an employee to add anyone, including the employer, to the list of contacts associated with the employee's personal online account;
(3) Take any action or threaten to take any action to discharge, discipline, or otherwise penalize an employee in response to an employee's refusal to disclose any information or take any action specified in paragraphs (1) or (2); or
(4) Fail or refuse to hire any employee as a result of an employee's refusal to disclose any information or take any action specified in paragraphs (1) or (2).
§ -4 Educational institutions. An educational institution shall not:
(1) Require, request, or coerce a student to:
(A) Disclose the username, password, or any other means of authentication, or provide access through the username or password, to a personal online account;
(B) Disclose the non-public contents of a personal online account;
(C) Provide password or authentication information to a personal technological device for purposes of gaining access to a personal online account, or turn over an unlocked personal technological device for purposes of gaining access to a personal online account;
(D) Access a personal online account in the presence of an educational institution in a manner that enables the educational institution to observe the contents of the account; or
(E) Change the account settings of a personal online account so as to increase third party access to its contents;
(2) Require or coerce a student to add anyone, including the educational institution, to the list of contacts associated with the student's personal online account;
(3) Take any action or threaten to take any action to discharge, discipline, prohibit from participating in curricular or extracurricular activities, or otherwise penalize a student in response to a student's refusal to disclose any information or take any action specified in paragraphs (1) or (2); or
(4) Fail or refuse to admit any student as a result of the student's refusal to disclose any information or take any action specified in paragraphs (1) or (2).
§ -5 Limitations. (a) Nothing in this chapter shall prevent an employer or educational institution from:
(1) Accessing information about an employee or student, that is publicly available;
(2) Complying with state and federal laws, rules, and regulations, and the rules of self-regulatory organizations as defined in section 3(a)(26) of the Securities and Exchange Act of 1934, title 15 United States Code section 78c(a)(26), or other statute governing self-regulatory organizations; or
(3) Prohibiting an employee or student from accessing or operating a personal online account during business or educational institution hours or while on business or educational institution property.
(b) Nothing in this chapter shall prevent an employer, without requesting or requiring an employee to provide a username, password, or other means of authentication that provides access to a personal online account, from requesting or requiring an employee to share specifically identified content that has been reported to the employer for the purposes of:
(1) Enabling an employer to comply with its own legal and regulatory obligations;
(2) Investigating an allegation, based on the receipt of information regarding specifically identified content, of the unauthorized transfer of an employer's proprietary or confidential information or financial data to an employee's personal online account; or
(3) Investigating an allegation, based on the receipt of information regarding specifically identified content, of unlawful harassment or threats of violence in the workplace.
(c) Nothing in this chapter shall prevent an educational institution, without requesting or requiring a student to provide a username, password, or other means of authentication that provides access to a personal online account, from requesting or requiring a student to share specifically identified content that has been reported to the educational institution for the purpose of complying with its own legal obligations, subject to all legal and constitutional protections that are applicable to the student; or
§ -6 Inadvertent receipt of password. If an employer or educational institution inadvertently receives the username, password, or other means of authentication that provides access to a personal online account of an employee or a student through the use of an otherwise lawful technology that monitors the employer's or educational institution's network or employer‑provided or educational institution-provided technological devices for network security or data confidentiality purposes, the employer or educational institution:
(1) Shall not be liable for having the information;
(2) Shall not use the information to access the personal online account of the employee or student;
(3) Shall not share the information with any other person or entity; and
(4) Shall delete the information as soon as is reasonably practicable, unless the information is being retained by the employer or educational institution in connection with the pursuit of a specific criminal complaint or civil action, or the investigation thereof.
§ -7 Enforcement. (a) Any employer or educational institution, including its employees or agents, who violates this chapter shall be subject to legal action for damages or equitable relief, to be brought by any person who claims a violation of this chapter has injured the person or the person's reputation. A person so injured shall be entitled to actual damages, including pain and suffering and mental anguish endured on account of the violation of this chapter, and reasonable attorneys' fees and other costs of litigation.
(b) Any employee or agent of an educational institution who violates this chapter shall be subject to disciplinary proceedings and punishment. For educational institution employees who are represented under the terms of a collective bargaining agreement, this chapter prevails except where it conflicts with the collective bargaining agreement, any memorandum of agreement or understanding signed pursuant to the collective bargaining agreement, or any recognized and established practice relative to the members of the bargaining unit.
§ -8 Admissibility. Except as proof of a violation of this chapter, no data obtained, accessed, used, copied, disclosed, or retained in violation of this chapter, nor any evidence derived therefrom, shall be admissible in any criminal, civil, administrative, or other proceeding."
SECTION 2. This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.
SECTION 3. If any provision of this Act, or the application thereof to any person or circumstance, is held invalid, the invalidity does not affect other provisions or applications of the Act that can be given effect without the invalid provision or application, and to this end the provisions of this Act are severable.
SECTION 4. This Act shall take effect on July 1, 2021.
|
INTRODUCED BY: |
_____________________________ |
|
|
|
Report Title:
Personal Online Account Privacy Act; Employers; Employees; Educational Institutions; Students
Description:
Prohibits employers and educational institutions from requiring employees or students to provide protected personal online account information. Authorizes private civil actions against violators.
The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.