Imagine this: It’s your first day at a new job and your boss asks you to turn over your Facebook and Yahoo login credentials. Sound crazy? Prior to December 28, 2012, it wasn’t against the law. But the possibility of that happening no longer exists thanks Michigan’s Internet Privacy Protection Act.
The Act prohibits employers from requesting that an employee or applicant grant access to personal internet accounts or disclose information that allows access to the account by the employer. It also prohibits the employer from penalizing an employee or applicant for failing or refusing to grant access to their internet accounts. The same holds true for educational institutions as they cannot request that a student or prospect grant access to their internet accounts or penalize the student for refusing to provide this information.
So what brought this type of legislation to the forefront in Michigan? The issue became significant when a teacher’s aide was fired for refusing to provide login credentials to her social media account. While the story garnered much media coverage and discussion in the legal and human resource communities, most agreed that the potential liability associated with requiring an employee to provide this information outweighed any potential benefits. Governor Rick Snyder agreed. The Act was signed into law on December 28, 2012.
There are some exceptions to the Act, however, including the right of an employer to gain access to devices or accounts provided or maintained by the employer. Employers also have the right to take action if the employee compromises or transfers proprietary or confidential information or financial data to his or her personal internet account. In the same vein, the employer is not prohibited from conducting an investigation about activity on an employee’s personal account for the purposes of ensuring compliance with applicable laws and regulations. And the employer may restrict access to websites from employer-supplied devices without violating the Act.
Educational institutions have similar exceptions for devices or accounts maintained by the institution. From the student’s perspective, there should be no expectation of privacy when it comes to email or devices provided by the institution, consistent with the relationship of an employee and employer. The one gray area is the fact that the Act does not address whether the educational institution has the right to access an internet account of an alumni who may still use the account set up by the institution but no longer attends as a student.
In short, employers and educational institutions should make sure their internal policies are in line with the Act and employees and students should be aware of their rights as well. For more information, please refer to http://www.michbar.org/business/BLJ/Spring2013/khoury_hayner.pdf .
Michael S. Khoury of Jaffe Raitt Heuer & Weiss, P.C., Ann Arbor and Southfield, practices in the areas of information technology, electronic commerce, intellectual property, and commercial and corporate law.
Andrew T. Hayner is an attorney with Jaffe, Raitt, Heuer & Weiss, P.C. and is a member of the firm’s Corporate and Business Transaction Group. He is a graduate of Michigan State University College of Law and University of Detroit Mercy.