Louisiana Legislature Passes Employee “Password Protection Law”

Josh Wood Trade Secret Insider Jones WalkerJosh Wood practices from the firm’s New Orleans office as an associate in the Labor and Employment Group. He contributes to Trade Secret Insider, a legal blog committed to providing timely legal insights on trade secrets, non-competes, computer fraud, and data theft. This post was originally published on tradesecretinsider.com and as an article in Volume 23 of the Louisiana Employment Law Letter.

Perhaps the most significant of the employment law bills passed by the Louisiana Legislature this year is the “Personal Online Account Privacy Protection Act” signed into by Governor Jindal on May 23, 2014.  Louisiana is now the 17th state to enact a “password protection law” aimed at protecting an employee’s personal online content included in personal email and other social media accounts.  The new law, which becomes effective on August 1, 2014, prohibits Louisiana employers from requesting information to access certain online content such as an employee’s personal email or social media accounts.  As social media, email, mobile devices, and cloud-based storage systems become more integrated into everyday business operations, Louisiana employers need to be aware of the details of, and their obligations under, the new law.

The Basics of Louisiana’s Password Protection Law

At its core, the new law prohibits Louisiana employers from discharging, refusing to hire, or otherwise penalizing an individual for failing to disclose credentials to his/her personal email or social media accounts.  Specifically, Louisiana employers may not request usernames, passwords, or other means of authentication that allow access to an employee’s or applicant’s “personal online account(s).”  Under the statute, a “personal online account” is defined as an account used by an employee exclusively for personal communications unrelated to any business purpose of the employer.  The definition of “personal online accounts” appears broad as it likely includes e-mail, instant messaging, social media and other media-sharing accounts.  However, the new law also includes a unique and significant limitation that actually makes it one of the narrowest of its kind compared to similar laws passed in other states.  It expressly provides that, to be protected under the law, a “personal online account” must be exclusively for personal use.  Thus, Louisiana’s password protection law does not apply to accounts created, serviced, maintained, used or accessed for any business purposes of the employer or to engage in any business-related communications even if also used by employees for personal purposes.

Possible Protections for Louisiana Employers

Louisiana’s password protection law includes various exceptions that employers should note. Many of those exceptions are intended to protect legitimate business interests and offer clarification to Louisiana employers regarding the scope and applicability of the new law.

First, as indicated above, the law does not cover accounts that are created, serviced, maintained, used or accessed by a an employee for business purposes of the employer or to engage in business related communications. Thus, the law does not prohibit employers from requesting or requiring that employees: a) disclose login information for any system or equipment provided by the employer; or b) reveal content in an account serviced or provided by the employer or those with which employees have access only by virtue of their employment relationship with the employer.  In other words, if the account is provided by or intended to benefit the employer, the restrictions of Louisiana’s password protection law likely will not apply.

Employers also should note that the new Louisiana law contains various exceptions for workplace investigations.  The statute expressly provides that employers may discipline or discharge employees for transferring confidential or proprietary information to a personal online account.  Employers also may conduct investigations into the unauthorized transfer of such information and require employees to cooperate in such investigations without disclosing their usernames and passwords for their personal accounts.  Note, however, that such investigations, may arise only after an employer receives specific information regarding an employee’s personal online account activity.

Another employer-friendly exception in the law protects employers who inadvertently receive an employee’s personal online account credentials.  Under this exception, employers are not liable for inadvertently obtaining an employee’s username, password, or other authentication information through the use of devices or programs that are employer provided or those that monitor an employer’s electronic network.

The statue offers further protection to Louisiana employers by allowing employers to view, access, and utilize information that is available in the public domain or that otherwise can be obtained without employees’ usernames, passwords, or other authentication information.  The law also specifies that it does not prohibit or restrict employees or applicants from self-disclosing personal credentials to employers that allow access to their personal online accounts.

Potential Conflict with National Labor Relations Act

Under the current administration, the National Labor Relations Board (“NLRB” or “Board”) has taken an aggressive stance, in both union and nonunion workplaces, toward enforcing employees’ rights under Section 7 of the National Labor Relations Act (“NLRA”) to engage in so-called “protected concerted activities.”  The current Board interprets protected concerted activities to include exchanging work-related information by and among employees on social media when the information relates to issues of common concerns such as compensation, work rules, and employment policies.  In this regard, the Board has been very aggressive in invalidating employer confidentiality, email, and social media policies that could be construed by employees to prohibit and punish them for engaging in such activities.  Therefore, notwithstanding the exceptions carved out in Louisiana’s new password protection law, before adopting policies and demanding that employees disclose any passwords or information shared via email or social media on employer-provided systems, employers should take care to ensure their actions do not infringe on employees’ Section 7 rights as currently interpreted by the NLRB.

Moving Forward:  Recommendations for Employers

It is unclear how the new law will be enforced as it does not expressly authorize employees or applicants to file lawsuits.  Nevertheless, to ensure compliance, Louisiana employers should keep the following in mind.

First, it’s important that Louisiana employers know what this new law does not change.  It does not limit an employer’s ability to restrict or prohibit employee access to certain websites while using devices paid for or provided, in whole or in part, by the employer or while using the employer’s network or other resources.  The new law also does not alter the existing obligations of employers under other laws, for example, with respect to background checking and  screening applicants and employees or monitoring or retaining employee communications through employer-provided technology.

As the August 1, 2014 effective date approaches, employers should review current company policies to identify any provisions that are inconsistent with Louisiana’s new law.  Specifically, employers must be certain that all social media, confidentiality, and/or computer use policies refrain from requesting or requiring access to non-public, personal online content.  Also, consider adding policies that specify acceptable conduct on employer-provided equipment or electronic networks.  Similarly, employers also may benefit from policies that establish various protocols and procedures for internal investigations into suspected misconduct.

Employers with multi-state operations should be especially careful as the number of states adopting this type of legislation continues to increase.  Each of the 17 states that have adopted password protection laws so far have added their own unique requirements.

Finally, Louisiana employers should take a cautious and conservative approach toward compliance.  Generally, unless there is a strong business interest recognized under the new law, Louisiana employers should avoid requesting access to the personal online content of their employees.