HB-5523, As Passed House, September 12, 2012

 

 

 

 

 

 

 

 

 

 

 

 

SUBSTITUTE FOR

 

HOUSE BILL NO. 5523

 

 

 

 

 

 

 

 

 

 

 

 

 

     A bill to prohibit employers and educational institutions from

 

requiring certain individuals to grant access to, allow observation

 

of, or disclose information that allows access to or observation of

 

personal internet accounts; to prohibit employers and educational

 

institutions from taking certain actions for failure to allow

 

access to, observation of, or disclosure of information that allows

 

access to personal internet accounts; and to provide sanctions and

 

remedies.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 1. This act shall be known and may be cited as the

 

"internet privacy protection act".

 

     Sec. 2. As used in this act:

 

     (a) "Access information" means user name, password, login


 

information, or other security information that protects access to

 

a personal internet account.

 

     (b) "Educational institution" means a public or private

 

educational institution or a separate school or department of a

 

public or private educational institution, and includes an academy;

 

elementary or secondary school; extension course; kindergarten;

 

nursery school; school system; school district; intermediate school

 

district; business, nursing, professional, secretarial, technical,

 

or vocational school; public or private educational testing service

 

or administrator; and an agent of an educational institution.

 

Educational institution shall be construed broadly to include

 

public and private institutions of higher education to the greatest

 

extent consistent with constitutional limitations.

 

     (c) "Employer" means a person, including a unit of state or

 

local government, engaged in a business, industry, profession,

 

trade, or other enterprise in this state and includes an agent,

 

representative, or designee of the employer.

 

     (d) "Personal internet account" means an account created via a

 

bounded system established by an internet-based service that

 

requires a user to input or store access information via an

 

electronic device to view, create, utilize, or edit the user's

 

account information, profile, display, communications, or stored

 

data.

 

     Sec. 3. An employer shall not do any of the following:

 

     (a) Request an employee or an applicant for employment to

 

grant access to, allow observation of, or disclose information that

 

allows access to or observation of the employee's or applicant's


 

personal internet account.

 

     (b) Discharge, discipline, fail to hire, or otherwise penalize

 

an employee or applicant for employment for failure to grant access

 

to, allow observation of, or disclose information that allows

 

access to or observation of the employee's or applicant's personal

 

internet account.

 

     Sec. 4. An educational institution shall not do any of the

 

following:

 

     (a) Request a student or prospective student to grant access

 

to, allow observation of, or disclose information that allows

 

access to or observation of the student's or prospective student's

 

personal internet account.

 

     (b) Expel, discipline, fail to admit, or otherwise penalize a

 

student or prospective student for failure to grant access to,

 

allow observation of, or disclose information that allows access to

 

or observation of the student's or prospective student's personal

 

internet account.

 

     Sec. 5. (1) This act does not prohibit an employer from doing

 

any of the following:

 

     (a) Requesting or requiring an employee to disclose access

 

information to the employer to gain access to or operate any of the

 

following:

 

     (i) An electronic communications device paid for in whole or in

 

part by the employer.

 

     (ii) An account or service provided by the employer, obtained

 

by virtue of the employee's employment relationship with the

 

employer, or used for the employer's business purposes.


 

     (b) Disciplining or discharging an employee for transferring

 

the employer's proprietary or confidential information or financial

 

data to an employee's personal internet account without the

 

employer's authorization.

 

     (c) Conducting an investigation or requiring an employee to

 

cooperate in an investigation in any of the following

 

circumstances:

 

     (i) If there is specific information about activity on the

 

employee's personal internet account, for the purpose of ensuring

 

compliance with applicable laws, regulatory requirements, or

 

prohibitions against work-related employee misconduct.

 

     (ii) If the employer has specific information about an

 

unauthorized transfer of the employer's proprietary information,

 

confidential information, or financial data to an employee's

 

personal internet account.

 

     (2) This act does not prohibit or restrict an employer from

 

complying with a duty to screen employees or applicants prior to

 

hiring or to monitor or retain employee communications that is

 

established under federal law or by a self-regulatory organization,

 

as defined in section 3(a)(26) of the securities and exchange act

 

of 1934, 15 USC 78c(a)(26).

 

     Sec. 6. This act does not prohibit an educational institution

 

from requesting or requiring a student to disclose access

 

information to the educational institution to gain access to or

 

operate any of the following:

 

     (a) An electronic communications device paid for in whole or

 

in part by the educational institution.


 

     (b) An account or service provided by the educational

 

institution that is either obtained by virtue of the student's

 

admission to the educational institution or used by the student for

 

educational purposes.

 

     Sec. 7. (1) This act does not create a duty for an employer or

 

educational institution to search or monitor the activity of a

 

personal internet account.

 

     (2) An employer or educational institution is not liable under

 

this act for failure to request or require that an employee, a

 

student, an applicant for employment, or a prospective student

 

grant access to, allow observation of, or disclose information that

 

allows access to or observation of the employee's, student's,

 

applicant for employment's, or prospective student's personal

 

internet account.

 

     Sec. 8. (1) A person who violates section 3 or 4 is guilty of

 

a misdemeanor punishable by a fine of not more than $1,000.00.

 

     (2) An individual who is the subject of a violation of this

 

act may bring a civil action to enjoin a violation of section 3 or

 

4 and may recover not more than $1,000.00 in damages plus

 

reasonable attorney fees and court costs. Not later than 60 days

 

before filing a civil action for damages or 60 days before adding a

 

claim for damages to an action seeking injunctive relief, the

 

individual shall make a written demand of the alleged violator for

 

not more than $1,000.00. The written demand shall include

 

reasonable documentation of the violation. The written demand and

 

documentation shall either be served in the manner provided by law

 

for service of process in civil actions or mailed by certified mail


 

with sufficient postage affixed and addressed to the alleged

 

violator at his or her residence, principal office, or place of

 

business. An action under this subsection may be brought in the

 

circuit court for the county where the alleged violation occurred

 

or for the county where the person against whom the civil complaint

 

is filed resides or has his or her principal place of business.

 

     (3) It is an affirmative defense to an action under this act

 

that the employer or educational institution acted to comply with

 

requirements of a federal law or a law of this state.