New Utah Law Bars Employers from Requesting Login Information for Personal Accounts | Practical Law

New Utah Law Bars Employers from Requesting Login Information for Personal Accounts | Practical Law

Utah recently enacted the Internet Employment Privacy Act (IEPA), which bans employers from asking employees and job applicants to provide login information for their personal internet accounts. 

New Utah Law Bars Employers from Requesting Login Information for Personal Accounts

Practical Law Legal Update 4-525-6121 (Approx. 6 pages)

New Utah Law Bars Employers from Requesting Login Information for Personal Accounts

by PLC Labor & Employment
Published on 05 Apr 2013Utah
Utah recently enacted the Internet Employment Privacy Act (IEPA), which bans employers from asking employees and job applicants to provide login information for their personal internet accounts.
On March 27, 2013, Utah Governor Gary Herbert signed into law the Internet Employment Privacy Act (IEPA), which bans employers from asking employees and job applicants to provide the login information of their personal internet accounts. Utah is the seventh state to enact a law protecting the privacy of employees' social media accounts, joining California, Delaware, Illinois, Maryland, Michigan and New Jersey, which passed similar laws recently (see, for example, Legal Updates, New Maryland Law Bars Employers from Requesting Login Information for Personal Accounts and New Illinois Law Bars Employers from Requesting Login Information to Social Networking Sites).
Under the IEPA, private and public employers in Utah cannot:
  • Ask an employee or job applicant to disclose a username and password, or a password that allows access to the employee's or applicant's personal internet account.
  • Take adverse action in the terms and conditions of employment, fail to hire or otherwise penalize an employee or job applicant for failing to disclose his protected internet information.
However, under the IEPA employers may:
  • Request or require an employee to disclose a username or password required only to gain access to the employer's electronic communications device, account or service.
  • Discipline or discharge an employee for transferring the employer's proprietary or confidential information or financial data to the employee's personal internet account without the employer's authorization.
  • Investigate other employee misconduct that involved the use of the employee's personal internet account.
  • Restrict or prohibit employees from accessing certain websites while using the employer's electronic communications device or computer network.
  • Monitor, review, access or block electronic data and communications stored on the employer's electronic communications device or network.
  • Screen employees and job applicants.
Under the IEPA, employees and job applicants may receive up to $500 in damages from employers that violate the law.

Practical Implications

Utah employers and employers doing business in Utah should review their employment and hiring policies to ensure that employees and applicants are not asked for or required to provide prohibited login information. The IEPA gives employees and job applicants a private cause of action against employers that violate the law.
With similar laws under consideration elsewhere, all employers should keep informed of legislative developments at the state and national levels.