HOUSE BILL No. 5623

 

May 10, 2012, Introduced by Rep. Opsommer and referred to the Committee on Energy and Technology.

 

     A bill to prohibit employers and educational institutions from

 

requiring certain individuals to disclose information that allows

 

access to certain personal data storage accounts; to prohibit

 

employers and educational institutions from taking certain actions

 

for failure to disclose information that allows access to certain

 

personal data storage accounts; and to provide remedies.

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 1. This act shall be known and may be cited as the

 

"personal data storage privacy act".

 

     Sec. 2. As used in this act:

 

     (a) "Access information" means user name, password, login

 

information, or other security feature that regulates control or

 

access to a personal data storage account or its contents.


 

     (b) "Educational institution" means a public or private

 

educational institution, a public or private educational testing

 

service or administrator, or a separate school or department of a

 

public or private educational institution, and includes an academy;

 

elementary or secondary school; extension course; kindergarten;

 

nursery school; school system; school district; intermediate school

 

district; business, nursing, professional, secretarial, technical,

 

or vocational school; and an agent of an educational institution.

 

Educational institution shall be construed broadly to include

 

public and private institutions of higher education to the greatest

 

extent consistent with constitutional limitations.

 

     (c) "Employer" means a person, including a unit of state or

 

local government, engaged in a business, industry, profession,

 

trade, or other enterprise in this state and includes an agent,

 

representative, or designee of the employer.

 

     (d) "Friending" means an act by which a personal data storage

 

account user grants full or partial access to other entities by

 

adding them to a list that regulates control or access to the

 

personal data storage account.

 

     (e) "Personal data storage account" means an electronic or

 

digital repository of personal data or information that can be

 

directly or remotely accessed via a computer, smart-phone,

 

telephone, or other device and includes, but is not limited to, a

 

social networking account, banking account, shopping account,

 

electronic mail account, texting account, internet access account,

 

contact list, address book, or cloud-based storage of personal

 

information.


 

     (f) "Shoulder surfing" means seeing or accessing data in a

 

personal data storage account after authorization from the account

 

user but without obtaining any user name, password, login

 

information, or other security feature from the account user.

 

     Sec. 3. An employer shall not do any of the following:

 

     (a) Request an employee or an applicant for employment to

 

disclose access information associated with the employee's or

 

applicant's personal data storage account.

 

     (b) Request an employee or applicant for employment to

 

authorize full or partial access to the employee's or applicant's

 

personal data storage account through friending or shoulder

 

surfing.

 

     (c) Subject to section 7, request an employee or applicant for

 

employment to waive any right under this act or to indemnify or

 

hold the employer harmless for a violation of this act.

 

     (d) Discharge, discipline, fail to hire, or otherwise

 

discriminate against an employee or applicant for employment for

 

his or her lack of a personal data storage account, failure to

 

authorize friending or shoulder surfing, or failure to disclose

 

access information for the employee's or applicant's personal data

 

storage account.

 

     Sec. 4. An educational institution shall not do any of the

 

following:

 

     (a) Request a student or prospective student to disclose

 

access information associated with the student's or prospective

 

student's personal data storage account.

 

     (b) Request a student or prospective student to authorize full


 

or partial access to the student's or prospective student's

 

personal data storage account through friending or shoulder

 

surfing.

 

     (c) Request a student or prospective student to waive any

 

right under this act or to indemnify or hold the educational

 

institution harmless for a violation of this act.

 

     (d) Discharge, discipline, fail to admit, or otherwise

 

discriminate against a student or prospective student for his or

 

her lack of a personal data storage account, failure to authorize

 

friending or shoulder surfing, or failure to disclose access

 

information associated with the student's or prospective student's

 

personal data storage account.

 

     Sec. 5. (1) An employer or educational institution, or an

 

agent of an employer or educational institution, that violates

 

section 3 or 4 is guilty of a misdemeanor punishable by

 

imprisonment for not more than 93 days or a fine of not more than

 

$1,000.00, or both.

 

     (2) An individual who is the subject of a violation of this

 

act may bring a civil action for a violation of section 3 or 4 and

 

may recover actual damages or $5,000.00, whichever is greater, and

 

reasonable attorney fees and court costs. Except for good cause,

 

not later than 60 days before filing a civil action, the individual

 

shall make a written demand of the alleged violator for the greater

 

of the amount of the individual's actual damages or $5,000.00. The

 

written demand shall include reasonable documentation of the

 

violation and, if applicable, of the actual damages. The written

 

demand and documentation shall either be served in the manner


 

provided by law for service of process in civil actions or mailed

 

by certified mail with sufficient postage affixed and addressed to

 

the alleged violator at his or her residence, principal office, or

 

place of business. An action under this subsection may be brought

 

in the circuit court for the county where the alleged violation

 

occurred or for the county where the person against whom the civil

 

complaint is filed resides or has his or her principal place of

 

business.

 

     Sec. 6. This act does not prohibit an employer from making a

 

decision not to hire an applicant for employment or from

 

disciplining or terminating an employee based on information

 

ordinarily available to the public or that is obtained through an

 

otherwise authorized background check.

 

     Sec. 7. This act does not prohibit a law enforcement agency

 

from doing any of the following:

 

     (a) Establishing a social media policy that prohibits its

 

employees from posting information on the internet that may

 

endanger the public, endanger law enforcement officers, jeopardize

 

criminal investigations, or otherwise run counter to the law

 

enforcement agency's mission or purpose.

 

     (b) Entering into an agreement with its employee bargaining

 

representative regarding the circumstances under which the employer

 

can be granted temporary shoulder-surfing access to personal social

 

media accounts as a condition of employment.