In response to media reports about employers and schools asking employees and students to disclose passwords to social media sites like Twitter, Facebook and Instagram, Michigan and five other states passed legislation in 2012 to prohibit employers from requiring employees or applicants to disclose their social media passwords.
What does the Michigan Internet Privacy Protection Act prohibit?
The Michigan Internet Privacy Protection Act (Public Act 478 of 2012) became effective on December 28, 2012. The Michigan Internet Privacy Protection Act (the Act) applies to employers (public and private) and all educational institutions (public and private primary schools, high schools, colleges, universities, trade schools, etc.). The Act prohibits employers and educational institutions from requiring current or prospective employees and students to disclose passwords to their personal Internet accounts and further prohibits employers or schools from discharging, disciplining, failing to hire, retaliating against or otherwise penalizing a person because of his or her refusal to provide the passwords to any of his or her personal Internet accounts. The Act also establishes criminal and civil penalties for employers and schools that violate the Act.
What is a Personal Internet account?
The Act defines “personal Internet account” as “an account created via a bounded system established by an internet-based service that requires a user to input or store access information via an electronic device to view, create, utilize, or edit the user’s account information, profile, display, communications, or stored data.” Because the Act defines personal Internet account broadly, it applies not only to Twitter, Facebook, Instagram and other social media accounts, but also email, online banking and similar services.
What is Access information?
The Act prohibits employers or educational institutions from requiring employees or prospective employees to “grant access to, allow observation of, or disclose information that allows access to or observation of a personal internet accounts.” “Access information” includes user names, passwords, login information or any other security information that protects access to a personal Internet account. Thus, employers or schools could still violate the Act even if they don’t require the disclosure of passwords if they do require the disclosure of other information that will enable them to obtain access to, monitor or observe non-public personal Internet accounts.
What does the Michigan Internet Privacy Protection Act not prohibit?
The Michigan Internet Privacy Protection Act recognizes that situations may arise when an employer or school has a legitimate need to violate a student or an employee’s privacy and obtain access to his or her personal Internet account. Thus, the Act states that employers and schools can conduct, or require cooperation in, an investigation for the purposes of complying with laws and regulations or school or work-related misconduct. The Act also authorizes employers and schools to demand the disclosure of access information to investigate a specific claim that an employee or student has transferred proprietary, confidential or financial information to a personal Internet account.
The Act authorizes requests for access information for the purpose of gaining access to an electronic communication device paid for in whole or in part by the employer. It also applies to accounts or services provided by the employer, obtained because of employment or used in the course of the employer’s business.
With respect to electronic communications devices and networks owned in whole or in part by an employer or educational institution, it is acceptable to block access to certain websites over its network or on one of its electronic communications devices; monitoring, reviewing or accessing electronic data stored on one of its electronic communications devices or passing through its network is also allowed.
Employers and schools are also in compliance with the Act if they view, access or utilize information of a current or prospective employee or student that can be obtained without required access information or is available in the public domain.
What are the penalties for violating the Michigan Internet Privacy Protection Act?
The Act creates both civil and criminal penalties for employers or educational institutions that violate the Act. An entity found in violation of the Act can be charged with a misdemeanor and fined up to $1,000. A current or prospective employee or student can file a civil action against an employer or school who he or she believes to be in violation of the Act. The civil action, if successful, will enjoin the employer or school from engaging in practices that violate the Act and award the plaintiff damages of not more than $1,000 plus reasonable attorney fees and court costs.
If the plaintiff plans to include a claim for damages in the civil action, at least 60 days before filing the claim he or she must write a letter with “reasonable documentation” enclosed to the employer or educational institution demanding compensation of not more than $1,000. A plaintiff who wishes to add a claim for damages after the action has already been filed may do so, but must also send a written demand for compensation at least 60 days before adding the claim for damages to the already filed action.
Seek legal representation
If you believe your employer or school is not in compliance with the Michigan Internet Privacy Protection Act or has otherwise violated your right to privacy, contact an attorney to schedule a consultation in which to discuss your case.