HOUSE OF REPRESENTATIVES

H.B. NO.

2173

TWENTY-NINTH LEGISLATURE, 2018

H.D. 2

STATE OF HAWAII

 

 

 

 

 

 

A BILL FOR AN ACT

 

 

RELATING TO ONLINE ACCOUNT PRIVACY.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 


     SECTION 1.  The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"CHAPTER    

PERSONAL ONLINE ACCOUNT PRIVACY ACT

     §   -1  Short title.  This chapter may be cited as the Personal Online Account Privacy Act.

     §   -2  Definitions.  As used in this chapter, unless the context requires otherwise:

     "Adverse action against an employee" includes:

     (1)  Any action to discharge, discipline, or otherwise penalize a current employee; or

     (2)  Failing to or refusing to hire or engage the services of a prospective employee.

     "Adverse action against a student" includes:

     (1)  Any action to discharge, discipline, or otherwise penalize a current student, including prohibiting the current student from participating in curricular or extracurricular activities; or

     (2)  Failing to or refusing to admit a prospective student.

     "Content" means information, other than login information, that is contained in a protected personal online account, accessible to the account holder, and not publicly available.

     "Educational institution" means a person that provides students at the postsecondary level an organized program of study or training that is academic, technical, trade-oriented, or preparatory for gaining employment and for which the person gives academic credit.  The term includes:

     (1)  A public or private institution; and

     (2)  An agent, excluding independent contractors, or designee of the educational institution.

     "Electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.

     "Employee" means an individual who provides services or labor to an employer in exchange for salary, wages, or the equivalent or, for an unpaid intern, academic credit or occupational experience.  The term includes:

     (1)  A prospective employee who has:

          (A)  Expressed to the employer an interest in being an employee; or

          (B)  Applied to or is applying for employment by, or is being recruited for employment by, the employer; and

     (2)  An independent contractor.

     "Employer" means a person that:

     (1)  Provides salary, wages, or the equivalent to an employee in exchange for services or labor; or

     (2)  Engages the services or labor of an unpaid intern.

The term includes an agent, excluding independent contractors, or designee of an employer, but does not include the United States or any federal branch, department, or agency thereof.

     "Login information" means a user name, password, or other means or credentials of authentication required to access or control:

     (1)  A protected personal online account; or

     (2)  An electronic device, which the employee's employer or the student's educational institution has not supplied or paid for in full, that itself provides access to or control over a protected personal online account.

     "Login requirement" means a requirement that login information shall be provided before a protected personal online account or electronic device can be accessed or controlled.

     "Online" means accessible by means of a computer network or the Internet.

     "Person" means an individual, estate, business or nonprofit entity, public corporation, government or governmental subdivision, agency, or instrumentality, or other legal entity.

     "Personal technological device" means a technological device owned, leased, or otherwise lawfully possessed by an employee or student.  The term does not include a device that:

     (1)  An employer or educational institution supplies or pays for in full; or

     (2)  An employee or student possesses, maintains, or uses primarily on behalf of or under the direction of an employer or educational institution in connection with the employee's employment or the student's education.

     "Protected personal online account" means an employee's or student's online account that is protected by a login requirement.  The term does not include an online account or the part of an online account:

     (1)  That is publicly available; or

     (2)  That the employer or educational institution has notified the employee or student might be subject to a request for login information or content, and that:

          (A)  The employer or educational institution supplies, pays for in full, or issues login information under its domain name; or

          (B)  The employee or student creates, maintains, or uses primarily on behalf of or under the direction of the employer or educational institution in connection with the employee's employment or the student's education.

     "Publicly available" means available to the general public.

     "Record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form.

     "State" means a state of the United States, the District of Columbia, the United States Virgin Islands, or any territory or insular possession subject to the jurisdiction of the United States.

     "Student" means an individual who participates in an educational institution's organized program of study or training.  The term includes:

     (1)  A prospective student who expresses to the institution an interest in being admitted to, applies for admission to, or is being recruited for admission by, the educational institution; and

     (2)  A parent or legal guardian of a minor student.

     "Technological device" means any computer, cellular phone, smartphone, digital camera, video camera, audio recording device, or other electronic device that can be used for creating, storing, or transmitting information in the form of electronic data.

     §   -3  Protected personal online accounts.  Except as provided in section    -4, no employer or educational institution shall:

     (1)  Require or coerce an employee or student to:

          (A)  Disclose the login information for a protected personal online account;

          (B)  Disclose the content of or provide access to a protected personal online account; provided that an employer or educational institution may request that an employee or student add or not remove any person, including the employer or educational institution, to or from the set of persons to which the employee or student grants access to the content;

          (C)  Alter the settings of a protected personal online account in a manner that makes the login information for, or content of the account more accessible to others;

          (D)  Access a protected personal online account in the presence of the employer or educational institution in a manner that enables the employer or educational institution to observe the login information for or content of the account; or

          (E)  Provide to the employer or educational institution the password or authentication information to a personal technological device for the purpose of gaining access to a protected personal online account, or relinquish a personal technological device to the employer or educational institution for the purpose of gaining access to a protected personal online account; or

     (2)  Take, or threaten to take, adverse action against an employee or student for failure or refusal to comply with:

          (A)  An employer's or educational institution's requirement or coercive action that violates paragraph (1); or

          (B)  An employer's or educational institution's request under paragraph (1)(B) to add any person to, or not remove any person from, the set of persons to which the employee or student grants access to the content of a protected personal online account.

          This paragraph shall not prohibit an employer or educational institution from taking or threatening to take adverse action against an employee or student for failure or refusal to comply with requirements or requests made pursuant to section    -4.

     §   -4  Limitations to prohibitions regarding employers and educational institutions.  (a)  Nothing in this chapter shall prohibit an employer or educational institution from:

     (1)  Accessing information about an employee or student that is publicly available;

     (2)  Complying with a federal or state law, order of a court of competent jurisdiction, court or administrative agency subpoena, or rule of a self-regulatory organization established by federal or state law, including a self-regulatory organization as defined in the Securities and Exchange Act of 1934, title 15 United States Code section 78c(a)(26);

     (3)  Requiring or requesting, based on specific allegations about an employee's or student's protected personal online account, access to content, but not login information, of the account in order to:

          (A)  Ensure compliance or investigate noncompliance, with:

              (i)  Federal or state law; or

             (ii)  An employer's or educational institution's prohibition against work-related employee or education-related student misconduct; provided that the employee or student has reasonable written notice of the prohibition and the prohibition was not created primarily to gain access to a protected personal online account;

              provided that the access to content is subject to all legal and constitutional protections otherwise available to the employee or student; or

          (B)  Protect against:

              (i)  A threat to safety;

             (ii)  A threat to the employer's or educational institution's information technology or communications technology systems, or property; or

            (iii)  Disclosure of the employer's or educational institution's nonpublic financial information, information in which the employer or educational institution has a proprietary interest, or information that the employer or educational institution has a legal obligation to keep confidential; or

     (4)  Prohibiting an employee or student from:

          (A)  Using a protected personal online account for the employer's business or the educational institution's purposes; or

          (B)  Accessing or operating a protected personal online account during business or school hours, while on the employer's or educational institution's property, or while using the employer's or educational institution's technological device.

     (b)  An employer that accesses an employee's content for a purpose specified in subsection (a)(3):

     (1)  Shall reasonably attempt to limit its access to content that is relevant to the specified purpose;

     (2)  Shall use the content only for the specified purpose; and

     (3)  Shall not alter the content unless necessary to achieve the specified purpose.

     (c)  An employer or educational institution that acquires the login information for an employee's or a student's protected personal online account by means of otherwise lawful technology that monitors the network or devices owned or provided by the employer or educational institution, for a network security, data confidentiality, or system maintenance purpose:

     (1)  Shall not use the login information to access or enable another person to access the account;

     (2)  Shall make a reasonable effort to keep the login information secure;

     (3)  Unless otherwise provided in paragraph (4), shall dispose of the login information as soon as and as securely as reasonably practicable; and

     (4)  If the employer or educational institution retains the login information for use in an anticipated or ongoing civil action or ongoing investigation of an actual or suspected breach of computer, network, or data security, shall make a reasonable effort to keep the login information secure and dispose of it as soon as and as securely as reasonably practicable after completing the civil action or investigation.

     §   -5  Civil actions for injunctive relief or damages.  (a)  A person who alleges a violation of this chapter may bring a civil action for appropriate injunctive relief or actual damages, or both, within one hundred eighty days after the occurrence of the alleged violation.

     (b)  An action commenced pursuant to subsection (a) may be brought in the circuit court for the circuit where the alleged violation occurred, where the complainant resides, or where the person against whom the civil complaint is filed resides or has a principal place of business.

     (c)  As used in this section, "damages" means damages for injury or loss caused by each violation of this chapter, including reasonable attorney fees.

     §   -6  Admissibility.  No data obtained, accessed, used, copied, disclosed, or retained in violation of this chapter, nor any evidence derived therefrom, shall be admissible in any criminal, civil, administrative, or other proceeding, except as proof of a violation of this chapter."

     SECTION 2.  This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.

     SECTION 3.  This Act shall take effect on January 1, 2050.


 


 

Report Title:

Internet; Privacy; Employees; Students

 

Description:

Prohibits employers and educational institutions from requiring employees, students, and prospective employees and students to provide protected personal online account information.  Authorizes private civil actions against violators.  (HB2173 HD2)

 

 

 

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.