Amid the reporting of the newest round of settlements by broker-dealers and financial advisers in late September for employee engagement in off-line business communications, last month also saw New York Governor Kathy Hochul sign legislation (A.836) prohibiting employers from requesting that employees or job applicants disclose the login information—such as usernames and passwords—to their personal online or electronic accounts. The new law, which takes effect on March 12, 2024, also prohibits employers from retaliating against employees or applicants who refuse to provide login information to their personal accounts. As a result of this legislation, New York employers that routinely rely on information they obtain by accessing employees’ or applicants’ personal accounts when conducting internal investigations or responding to Government inquiries may need to adjust their investigative approach.

Expressly, under A.836, employers are prohibited from requesting, requiring, or coercing any employee or applicant to:

  1. disclose their username, password, authentication information, or any other information used to access their personal account(s) via an electronic communications device;
  2. access their personal account(s) in the employer’s presence; or
  3. reproduce in any manner photographs, video, or other information contained within a personal account obtained by means prohibited under the law.

“Personal account” is defined as “an account or profile on an electronic medium where users may create, share, and view user-generated content, including uploading or downloading videos or still photographs, blogs, video blogs, podcasts, instant messages, or internet website profiles or locations that is used by an employee or an applicant exclusively for personal purposes.”

Generally, “employer” is defined as any “person or entity engaged in a business, industry, profession, trade or other enterprise” in New York as well as state or local public and/or governmental agencies in New York (“Subject Companies”). The law does not apply to law enforcement agencies.

There are a few exceptions for Subject Companies under the new law, which permit them to seek access to personal accounts if:

  1. necessary to comply with a court order or federal, state, or local law;
  2. needed to access the employer’s internal computer or information systems (“nonpersonal account”);
  3. the account was provided by the employer and is used for business purposes, and the employer provided prior notice of its right to access the account; or
  4. the employer knows the account is being used for business purposes. 

Subject Companies are also permitted to access electronic communications devices or restrict access to their networks on electronic communications devices that they pay for—in whole or in part—when the payment was conditioned on the Subject Companies’ access rights. However, Subject Companies may not access any personal accounts on these devices.  Additionally, the law does not prevent Subject Companies from accessing personal account information that is publicly available or provided voluntarily.

Notably, A.836’s exceptions do not include an exception for conducting internal investigations aimed at possible voluntary disclosures of illegal conduct to the Department of Justice or other securities regulators (i.e., SEC, CFTC and FINRA). 

A.836 is scheduled to take effect in March 2024. With that effective date in mind, Subject Companies regulated by the SEC, CFTC or FINRA will need to update their privacy, technology, and communications policies and prepare to navigate a more challenging landscape for obtaining important information about employees and applicants. Although the law’s “federal, state or local law” exception leaves unclear whether responding to a formal subpoena falls within that exception or whether a court order compelling a response to the subpoena will be needed, A.836 will likely result only, at worse, in delays in responding to subpoenas, to the extent the law is construed to require a court order.  However, given the potential for delayed subpoena responses, A.836 could result in subpoenas issued directly to the individual employees whose off-line communications are sought in addition to the Company itself (at least where the Subject Company is unaware that the individual is using his/her personal account to conduct business).  This could, in turn, result in the Subject Company under investigation having to provide such employees with separate counsel to assist with the employees’ subpoena responses.  Having numerous individuals respond to separate subpoenas could in turn make it difficult for the Subject Companies to maintain information symmetry with the regulator. 

Notwithstanding A.836’s exception for legally-required responses, the SEC and the CFTC often proceed with investigations using informal letters of inquiry.  These letters lack compulsory force, and companies only respond to them voluntarily and in the spirit of cooperation.  Likewise, FINRA letters seeking information, at least upon initial issuance, also lack the force of law. Accordingly, Subject Companies receiving such letters of inquiry will likely be prohibited from searching employees’ personal devices and email accounts in response to them. Thus, the SEC/CFTC may instead proceed more often with formal subpoenas against Subject Companies and their implicated employees.  

The law does contain an exception for some self-regulatory-organization-related activity, including an employer’s “compl[iance] with a duty … to monitor or retain employee communications, that is established under federal law or by a self-regulatory organization, as defined in section 3(a)(26) of the securities and exchange act of 1934….”  However, while the federal securities laws’ books and records requirements request the maintenance of business records for certain time periods, including employees’ business-related communications, it is far from clear whether those laws “establish” a requirement that companies “monitor” employees’ off-line communications to do so, or whether the duty to retain employee communications encompasses a duty to search employees’ off-line communications without cause. At best, this exception raises more questions than answers, and Subject Companies are advised to tread carefully when relying upon this exception.

The new law will also likely frustrate Subject Companies’ internal investigation efforts, where compliance with federal, state or local law is not an issue. This enactment could not only hinder companies’ ability to detect illegal or otherwise non-compliant conduct by its employees, but it could also chill Subject Companies’ ability to avail themselves of the leniency and cooperation credit benefits conferred by voluntary self-disclosures to the federal government (which are by definition “voluntary,” and not necessary to comply with federal, state or local law) under current DOJ, SEC and CFTC enforcement guidance.

In any event, Subject Companies will need to adjust their recordkeeping and off-line communications policies and procedures to address the potential impact of A.836 when it kicks in in March. Ways in which Subject Companies can do this include:

Continuing to Strengthen Off-Line Communication Controls. This includes technological improvements in monitoring communications involving non-Company email addresses, strengthening disciplinary measures against employees upon discovery of their engagement in off-line communications for conducting business, frequent and documented employee training, and an environment that encourages – or at least does not discourage – the internal reporting of violations of the Subject Company’s prohibitions on off-line communications.  Given A.836’s exception for the personal accounts of employees that the Company knows has been using them for business communications, Subject Companies should implement technological solutions that detect business communications occurring in its system that involve emails with common personal email account domain names, like gmail.com, hotmail.com, aol.com, yahoo.com, icloud.com, and the like. These controls would enable firms to require employees to provide access to their offline accounts under this exception.

Incentivizing  Employee Consent to Access Personal Data. Subject Companies can put in place incentives to obtain employees’ consent to view their personal cell phones, devices, and email accounts.  For example, they could allow personal phones in the office only if such consent is given or offer financial incentives to employees for providing their consent. When formulating such incentives, however, Subject Companies must also be careful not to implement coercive policies lest they run afoul of A.836’s restrictions.

Moreover, to the extent any Subject Companies have put in place policies and procedures that require employees to turn over personal devices or email accounts as part of their remediation in connection with their settlements with the SEC or CFTC, they may need to revisit those policies and procedures. The independent compliance consultants assigned as part of these SEC/CTFC settlements will also need to keep the restrictions of A.836 in mind when advising settling companies going forward.

Non-New York-Based Companies Must Tailor Their Off-Line Communications Policies For New York-Based Employees.  By its terms, A.836 applies, in relevant part, to any employer “engaged in a business, industry, profession, trade or other enterprise” in the State of New York, including any agent, representative, or designee of the employer.  This new law would include any Company operating outside the State of New York that has employees working in the State. These Subject Companies must carefully build into its policies and procedures specific provisions uniquely tailored to the new restrictions applicable to New York employees under A.836.

Steptoe will continue to monitor new developments around A.836 and its implications.