Employers that monitor their employees’ electronic activities should note that New York State will soon require employers to (i) provide written or electronic notice to employees upon hiring of such monitoring in the workplace, and (ii) post notice of such monitoring. Any such notice must be posted conspicuously. Although many employers already provide notice of monitoring as part of their cybersecurity and privacy programs and/or through their handbooks or other stand-alone policies, and some employers also provide such notice to their employees to limit assertions and claims that the employees have any expectation of privacy in using the employer’s email and other electronic systems, New York State is raising the specter of enforcement activity and civil penalties if an employer’s notice does not describe the monitoring used in the employer’s systems appropriately and conspicuously.
New York’s New Electronic Monitoring Law
On November 8, 2021, Governor Kathy Hochul signed into law an act that amends the Civil Rights Law and requires employers in New York State to provide notice to an employee upon hire where the employer “monitors or otherwise intercepts” telephone calls, emails, or internet usage or access using “any electronic device or system” (the “Act”).[1] The notice must be in writing or sent electronically, and the employee must acknowledge receipt in writing or electronically. In addition, the employer must post the notice “in a conspicuous place.”[2] The Act goes into effect on May 7, 2022. As of that date, new hires should be provided the notice, and the notice should be posted conspicuously in either a physical location or company intranet, for example.[3]
Employers that violate the Act, which the attorney general is authorized to enforce, may be subject to civil penalties up to a maximum of $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and each subsequent offense.[4] There is no private right of action. Employees asserting other types of claims relying in whole or in part on their expectation of workplace privacy, however, might seek to bolster their assertions in the event of statutory noncompliance. Although New York State does not presently recognize a common law tort based upon invasion of employee privacy, it is likely that employees asserting claims or defenses in employment litigations may seek to leverage any failure to comply (e.g., when evidence of employee misconduct is discovered through monitoring for which no notice was provided).
The Act also provides a safe harbor, whereby “[t]he provisions of this section shall not apply to processes that are designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.”[5] Thus, certain system-based tasks such as spam filtering, proxy servers, or firewall protections that merely scan or block certain electronic transmissions would not be covered activity that would trigger the notice requirements of the Act. Nevertheless, employers should inventory such systems, such as data loss prevention tools, to determine if they perform additional functions that might trigger a notice requirement.
Conspicuously absent from the Act are any definitions of the terms “monitor,” “intercept,” “transmission,” and “photoelectronic or photo-optical systems.” Certain definitions for some of these terms are included in other statutes—e.g., the Federal Wiretap Act (18 U.S.C. §§ 2510‐2522), the Electronic Communications Privacy Act (18 U.S.C. §§ 2510-2523), and the Stored Communications Act (18 U.S.C. §§ 2701-2712). Nonetheless, there are open questions concerning how the statutory terms might be applied in the particular context of the Act.
In addition, the Act is not, on its face, limited to employer systems or applications. Thus, there are open questions concerning the applicability of, and implementation of, any notice requirements where an employee’s usage may be monitored when the employee accesses an employer’s vendor’s system or device.
Although the Act might be considered a new burden on New York employers, some other states already have similar laws in place.[6] Indeed, employers that routinely monitor telephone, email, and internet usage for regulatory purposes might already have some type of notice in place. Even so, the Act may require an employer to update that notice or applicable provision in the employee handbook or otherwise available electronically, and to post the revised notice accordingly.
What New York Employers Should Do Now
-
Audit electronic systems and devices and information technology practices regarding security, regulatory needs, data loss, and compliance to ensure you have a comprehensive understanding of all the ways employees’ electronic usage may be monitored or intercepted.
-
Draft a notice that is consistent with, and accurately reflects, practices regarding monitoring or intercepting emails and other electronic systems, including telephone calls and internet usage, and provide the same, with an acknowledgment section, to new employees in accordance with the Act.
-
Integrate the acknowledgement requirement into the onboarding process or another standard process on or before May 7, 2022, to ensure an acknowledgement is signed (either on paper or in electronic format) or otherwise electronically evidenced upon the commencement of employment and before commencement of any monitoring or intercepting.
-
Consider updating handbook(s) and any other relevant policies to provide clear, ongoing guidance regarding the types of monitoring or intercepting that occur, and confirm there is an acknowledgment section for the handbook or policy.
-
Post notice of electronic monitoring in a place (either physical or online, or both) that is conspicuous for employees who are subject to such monitoring.
[1] A.430/S.2628, N.Y. Civ. Rights Law § 52-c.2.(a). “Employer” includes “any individual, corporation, partnership, firm, or association with a place of business in the state” but does not include “the state or any political subdivision of the state.” N.Y. Civ. Rights Law § 52-c.1.
[2] Id.
[3] The Act’s stated purpose is “[t]o require employers who engage in employee e-mail monitoring to provide notice to their employees about such monitoring.” S.2628. As noted above, the statutory provisions cover monitoring of electronic systems in addition to email.
[4] N.Y. Civ. Rights Law § 52-c.3.
[5] Id. § 52-c.4. (emphasis added).
[6] See, e.g., Del. Code tit. 19, § 705(b) (prohibiting employer monitoring or intercepting of telephone and email communications and internet usage and access without notice to employees of such a practice or policy).