HOUSE OF REPRESENTATIVES

H.B. NO.

1904

THIRTIETH LEGISLATURE, 2020

 

STATE OF HAWAII

 

 

 

 

 

 

A BILL FOR AN ACT

 

 

RELATING TO THE UNIFORM EMPLOYEE AND STUDENT ONLINE PRIVACY PROTECTION ACT.

 

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 


     SECTION 1.  The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"Chapter

THE UNIFORM EMPLOYEE AND STUDENT ONLINE PRIVACY PROTECTION ACT

     §   -1  Short title.  This chapter may be cited as The Uniform Employee and Student Online Privacy Protection Act.

     §   -2  Definitions.  As used in this chapter:

     "Content" means information, other than login information, that is contained in a protected personal online account, accessible to the account holder, and not publicly available.

     "Educational institution" means a person that provides to students an organized program of study or training that is academic, technical, trade-oriented, or preparatory for gaining employment and for which the person gives academic credit.  The term includes:

     (1)  A public or private institution; and

     (2)  An agent or designee of the educational institution.

     "Electronic" means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.

     "Employee" means an individual who provides services or labor to an employer in exchange for salary, wages, or the equivalent or, for an unpaid intern, academic credit or occupational experience.  The term includes:

     (1)  A prospective employee who has:

          (A)  Expressed to the employer an interest in being an employee; or

          (B)  Applied for or is applying for employment by, or is being recruited for employment by, the employer; and

     (2)  An independent contractor.

     "Employer" means a person that provides salary, wages, or the equivalent to an employee in exchange for services or labor or engages the services or labor of an unpaid intern.  The term includes an agent or designee of the employer.

     "Login information" means a user name and password, password, or other means or credentials of authentication required to access or control:

     (1)  A protected personal online account; or

     (2)  An electronic device, which the employee's employer or the student's educational institution has not supplied or paid for in full, that itself provides access to or control over the account.

     "Login requirement" means a requirement that login information shall be provided before a protected personal online account or electronic device can be accessed or controlled.

     "Online" means accessible by means of a computer network or the Internet.

     "Person" means an individual; estate; business or nonprofit entity; public corporation; government or governmental subdivision, agency, or instrumentality; or other legal entity.

     "Protected personal online account" means any online account maintained by an employee or a student, including social media or electronic mail accounts, that is protected by a login requirement.  The term does not include an account, or the discrete portion of an account, that was:

     (1)  Opened at an employer's behest, or provided by an employer and intended to be used solely or primarily on behalf of or under the direction of the employer; or

     (2)  Opened at an educational institution's behest, or provided by an educational institution and intended to be used solely or primarily on behalf of or under the direction of the educational institution.

     "Publicly available" means available to the general public.

     "Record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.

     "State" means a state of the United States, the District of Columbia, the United States Virgin Islands, or any territory or insular possession subject to the jurisdiction of the United States.

     "Student" means an individual who participates in an educational institution's organized program of study or training.  The term includes:

     (1)  A prospective student who expresses to the institution an interest in being admitted to, applies for admission to, or is being recruited for admission by, the educational institution; and

     (2)  A parent or legal guardian of a student under the age of majority.

     §   -3  Protection of employee online account.  (a)  Subject to the exceptions in subsection (b), an employer shall not:

     (1)  Require or coerce an employee to:

          (A)  Disclose the login information for a protected personal online account;

          (B)  Disclose the content of the account, except that an employer may request an employee to add the employer to, or to not remove the employer from, the set of persons to which the employee grants access to the content;

          (C)  Alter the settings of the account in a manner that makes the login information for or content of the account more accessible to others; or

          (D)  Access the account in the presence of the employer in a manner that enables the employer to observe the login information for or content of the account; or

     (2)  Take, or threaten to take, adverse action against an employee for failure to comply with an employer's:

          (A)  Requirement, coercive action, or request that violates paragraph (1); or

          (B)  Request under paragraph (1)(B) to add the employer to, or to not remove the employer from, the set of persons to which the employee grants access to the content of a protected personal online account.

     (b)  Nothing in subsection (a) shall prevent an employer from:

     (1)  Accessing information about an employee that is publicly available;

     (2)  Complying with a federal or state law, court order, or rule of a self-regulatory organization established by federal or state statute, including a self-regulatory organization as defined in section 3(a)(26) of the Securities Exchange Act of 1934, title 15 United States Code section 78c(a)(26);

     (3)  Implementing and enforcing a policy pertaining to the use of employer-issued electronic communications device or to the use of an employee-owned electronic communications device that will be used for business purposes; or

     (4)  Requiring or requesting, based upon specific facts about the employee's protected personal online account, access to the content of, but not the login information for, the account in order to:

          (A)  Ensure compliance, or investigate non-compliance, with:

              (i)  Federal or state law; or

             (ii)  An employer prohibition against work-related employee misconduct of which the employee has reasonable notice, which is in a record, and that was not created primarily to gain access to a protected personal online account; or

          (B)  Protect against:

              (i)  A threat to safety;

             (ii)  A threat to employer information technology or communications technology systems or to employer property; or

            (iii)  Disclosure of information in which the employer has a proprietary interest or information that the employer has a legal obligation to keep confidential.

     (c)  An employer that accesses employee content for a purpose specified in subsection (b)(4) shall:

     (1)  Reasonably attempt to limit its access to content that is relevant to the specified purpose;

     (2)  Use the content only for the specified purpose; and

     (3)  Not alter the content unless necessary to achieve the specified purpose.

     (d)  An employer that acquires the login information for an employee's protected personal online account by means of otherwise lawful technology that monitors the employer's network, or employer-provided devices, for a network security, data confidentiality, or system maintenance purpose:

     (1)  Shall not use the login information to access or enable another person to access the account;

     (2)  Shall make a reasonable effort to keep the login information secure;

     (3)  Unless otherwise provided in paragraph (4), shall dispose of the login information as soon as, as securely as, and to the extent reasonably practicable; and

     (4)  If the employer retains the login information for use in an ongoing investigation of an actual or suspected breach of computer, network, or data security, it shall make a reasonable effort to keep the login information secure and dispose of it as soon as, as securely as, and to the extent reasonably practicable after completing the investigation.

     (e)  Nothing in subsection (a) shall be construed to diminish the authority or obligation of an employer to investigate complaints, allegations, or the occurrence of sexual, racial, or other prohibited harassment under part I of chapter 378.

     §   -4  Protection of student online account.  (a)  Subject to the exceptions in subsection (b), an educational institution shall not:

     (1)  Require or coerce a student to:

          (A)  Disclose the login information for a protected personal online account;

          (B)  Disclose the content of the account, except that an educational institution may request a student to add the educational institution to, or to not remove the educational institution from, the set of persons to which the student grants access to the content;

          (C)  Alter the settings of the account in a manner that makes the login information for or content of the account more accessible to others; or

          (D)  Access the account in the presence of the educational institution in a manner that enables the educational institution to observe the login information for or content of the account; or

     (2)  Take, or threaten to take, adverse action against a student for failure to comply with an educational institution's:

          (A)  Requirement, coercive action, or request, that violates paragraph (1); or

          (B)  Request under paragraph (1)(B) to add the educational institution to, or to not remove the educational institution from, the set of persons to which the student grants access to the content of a protected personal online account.

     (b)  Nothing in subsection (a) shall prevent an educational institution from:

     (1)  Accessing information about a student that is publicly available;

     (2)  Complying with a federal or state law, court order, or rule of a self-regulatory organization established by federal or state statute; or

     (3)  Requiring or requesting, based upon specific facts about the student's protected personal online account, access to the content of, but not the login information for, the account in order to:

          (A)  Ensure compliance, or investigate non-compliance, with:

              (i)  Federal or state law; or

             (ii)  An educational institution prohibition against education-related student misconduct of which the student has reasonable notice, which is in a record, and that was not created primarily to gain access to a protected personal online account; or

          (B)  Protect against:

              (i)  A threat to safety;

             (ii)  A threat to the educational institution's information technology or communications technology systems or to educational institution property; or

            (iii)  Disclosure of information in which the educational institution has a proprietary interest or information that the educational institution has a legal obligation to keep confidential.

     (c)  An educational institution that accesses student content for a purpose specified in subsection (b)(3) shall:

     (1)  Reasonably attempt to limit its access to content that is relevant to the specified purpose;

     (2)  Use the content only for the specified purpose; and

     (3)  Not alter the content unless necessary to achieve the specified purpose.

     (d)  An educational institution that acquires the login information for a student's protected personal online account by means of otherwise lawful technology that monitors the educational institution's network, or educational institution-provided devices, for a network security, data confidentiality, or system maintenance purpose:

     (1)  Shall not use the login information to access or enable another person to access the account;

     (2)  Shall make a reasonable effort to keep the login information secure;

     (3)  Unless otherwise provided in paragraph (4), shall dispose of the login information as soon as, as securely as, and to the extent reasonably practicable; and

     (4)  If the educational institution retains the login information for use in an ongoing investigation of an actual or suspected breach of computer, network, or data security, it shall make a reasonable effort to keep the login information secure and dispose of it as soon as, as securely as, and to the extent reasonably practicable after completing the investigation.

     §   -5  Civil action.  (a)  The attorney general may bring a civil action in district court against an employer or educational institution for a violation of this chapter.  A prevailing attorney general may obtain:

     (1)  Injunctive and other equitable relief; and

     (2)  A civil penalty of up to $1,000 for each violation, but not exceeding $100,000 for all violations caused by the same event.

     (b)  An employee or student may bring a civil action against the employee's employer or student's educational institution for a violation of this chapter.  A prevailing employee or student may obtain:

     (1)  Injunctive and other equitable relief;

     (2)  Actual damages; and

     (3)  Costs and reasonable attorney's fees.

     (c)  An action under subsection (a) shall not preclude an action under subsection (b), and an action under subsection (b) shall not preclude an action under subsection (a).

     (d)  This chapter shall not affect a right or remedy available under any law other than this chapter.

     §   -6  Uniformity of application and construction.  In applying and construing this chapter, consideration shall be given to the need to promote uniformity of the law with respect to its subject matter among states that enact it.

     §   -7  Relation to Electronic Signatures In Global and National Commerce Act.  This chapter modifies, limits, or supersedes the Electronic Signatures in Global and National Commerce Act, title 15 United States Code section 7001 et seq., but does not modify, limit, or supersede section 101(c) of that Act, title 15 United States Code section 7001(c), or authorize electronic delivery of any of the notices described in section 103(b) of that Act, title 15 United States Code section 7003(b).

     §   -8  Relation to other state laws.  If any provision in this chapter conflicts with a provision in any other chapter, the provision in this chapter shall control.

     §   -9  Severability.  If any provision of this chapter or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this chapter that can be given effect without the invalid provision or application, and to this end the provisions of this chapter are severable."

     SECTION 2.  This Act does not affect rights and duties that matured, penalties that were incurred, and proceedings that were begun before its effective date.

     SECTION 3.  This Act shall take effect on January 1, 2021.

 

INTRODUCED BY:

_____________________________

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


 


 

Report Title:

Online Privacy; Employees; Students

 

Description:

Establishes The Uniform Employee and Student Online Privacy Protection Act that adopts uniform laws on protecting the online accounts of employees, prospective employees, unpaid interns, applicants, students, and prospective students from employers and educational institutions.

 

 

 

The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.