May 10, 2012, Introduced by Rep. Opsommer and referred to the Committee on Energy and Technology.
A bill to prohibit employers and educational institutions from
requiring certain individuals to disclose information that allows
access to certain personal data storage accounts; to prohibit
employers and educational institutions from taking certain actions
for failure to disclose information that allows access to certain
personal data storage accounts; and to provide remedies.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1. This act shall be known and may be cited as the
"personal data storage privacy act".
Sec. 2. As used in this act:
(a) "Access information" means user name, password, login
information, or other security feature that regulates control or
access to a personal data storage account or its contents.
(b) "Educational institution" means a public or private
educational institution, a public or private educational testing
service or administrator, or a separate school or department of a
public or private educational institution, and includes an academy;
elementary or secondary school; extension course; kindergarten;
nursery school; school system; school district; intermediate school
district; business, nursing, professional, secretarial, technical,
or vocational school; and an agent of an educational institution.
Educational institution shall be construed broadly to include
public and private institutions of higher education to the greatest
extent consistent with constitutional limitations.
(c) "Employer" means a person, including a unit of state or
local government, engaged in a business, industry, profession,
trade, or other enterprise in this state and includes an agent,
representative, or designee of the employer.
(d) "Friending" means an act by which a personal data storage
account user grants full or partial access to other entities by
adding them to a list that regulates control or access to the
personal data storage account.
(e) "Personal data storage account" means an electronic or
digital repository of personal data or information that can be
directly or remotely accessed via a computer, smart-phone,
telephone, or other device and includes, but is not limited to, a
social networking account, banking account, shopping account,
electronic mail account, texting account, internet access account,
contact list, address book, or cloud-based storage of personal
information.
(f) "Shoulder surfing" means seeing or accessing data in a
personal data storage account after authorization from the account
user but without obtaining any user name, password, login
information, or other security feature from the account user.
Sec. 3. An employer shall not do any of the following:
(a) Request an employee or an applicant for employment to
disclose access information associated with the employee's or
applicant's personal data storage account.
(b) Request an employee or applicant for employment to
authorize full or partial access to the employee's or applicant's
personal data storage account through friending or shoulder
surfing.
(c) Subject to section 7, request an employee or applicant for
employment to waive any right under this act or to indemnify or
hold the employer harmless for a violation of this act.
(d) Discharge, discipline, fail to hire, or otherwise
discriminate against an employee or applicant for employment for
his or her lack of a personal data storage account, failure to
authorize friending or shoulder surfing, or failure to disclose
access information for the employee's or applicant's personal data
storage account.
Sec. 4. An educational institution shall not do any of the
following:
(a) Request a student or prospective student to disclose
access information associated with the student's or prospective
student's personal data storage account.
(b) Request a student or prospective student to authorize full
or partial access to the student's or prospective student's
personal data storage account through friending or shoulder
surfing.
(c) Request a student or prospective student to waive any
right under this act or to indemnify or hold the educational
institution harmless for a violation of this act.
(d) Discharge, discipline, fail to admit, or otherwise
discriminate against a student or prospective student for his or
her lack of a personal data storage account, failure to authorize
friending or shoulder surfing, or failure to disclose access
information associated with the student's or prospective student's
personal data storage account.
Sec. 5. (1) An employer or educational institution, or an
agent of an employer or educational institution, that violates
section 3 or 4 is guilty of a misdemeanor punishable by
imprisonment for not more than 93 days or a fine of not more than
$1,000.00, or both.
(2) An individual who is the subject of a violation of this
act may bring a civil action for a violation of section 3 or 4 and
may recover actual damages or $5,000.00, whichever is greater, and
reasonable attorney fees and court costs. Except for good cause,
not later than 60 days before filing a civil action, the individual
shall make a written demand of the alleged violator for the greater
of the amount of the individual's actual damages or $5,000.00. The
written demand shall include reasonable documentation of the
violation and, if applicable, of the actual damages. The written
demand and documentation shall either be served in the manner
provided by law for service of process in civil actions or mailed
by certified mail with sufficient postage affixed and addressed to
the alleged violator at his or her residence, principal office, or
place of business. An action under this subsection may be brought
in the circuit court for the county where the alleged violation
occurred or for the county where the person against whom the civil
complaint is filed resides or has his or her principal place of
business.
Sec. 6. This act does not prohibit an employer from making a
decision not to hire an applicant for employment or from
disciplining or terminating an employee based on information
ordinarily available to the public or that is obtained through an
otherwise authorized background check.
Sec. 7. This act does not prohibit a law enforcement agency
from doing any of the following:
(a) Establishing a social media policy that prohibits its
employees from posting information on the internet that may
endanger the public, endanger law enforcement officers, jeopardize
criminal investigations, or otherwise run counter to the law
enforcement agency's mission or purpose.
(b) Entering into an agreement with its employee bargaining
representative regarding the circumstances under which the employer
can be granted temporary shoulder-surfing access to personal social
media accounts as a condition of employment.