Michigan recently passed the Internet Privacy Protection Act (MIPPA), which prohibits employers and educational institutions from requiring employees and students to provide passwords and login information related to personal Internet accounts.
The Purpose of the Act
The MIPPA protects the privacy of employees and job applicants as well as current and prospective students by allowing them to keep private logins, user names, passwords, and other access information related to their personal Internet accounts. However, the Act does not interfere with an employer’s ability to monitor its electronic devices or computer systems or investigate whether confidential information has been disclosed or an employee has committed work-related misconduct.
Restrictions on Employers
Under the MIPPA, it is unlawful for an employer (defined as any person engaged in business, industry, or the like, and includes any agent, representative, or designee of the employer) to ask an employee or applicant to grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal Internet account. Similarly, you cannot discharge, fail to hire, or otherwise penalize an employee or applicant for failing to do so.
However, the Act does not prohibit an employer from requesting or requiring disclosure of information to gain access to or operate an (1) electronic communications device paid for by the employer or (2) account or service provided by the employer or used for the employer’s business. The Act also doesn’t prohibit you from disciplining or discharging an employee for disclosing your proprietary, confidential, or financial information through the employee’s personal Internet account without your authorization.
The Act does not prohibit employers from conducting an investigation related to activity on an employee’s personal Internet account for the purpose of ensuring compliance with applicable laws or prohibitions against work-related employee misconduct or the unauthorized disclosure of proprietary, confidential, or financial data. In addition, it is not unlawful for an employer to investigate whether an employee violated a restriction prohibiting access to certain websites while using an electronic communications device paid for by the employer or an employer’s network or resources.
Further, the MIPPA does not prohibit an employer from monitoring, reviewing, or accessing electronic data stored on an electronic communications device paid for by the employer or traveling through or stored on the employer’s network. Finally, the Act does not prohibit or restrict an employer from viewing, accessing, or using information about an employee or applicant that (1) can be obtained without access information or (2) is available in the public domain.
Restrictions on Educational Institutions
Under the MIPPA, an “educational institution” includes public and private educational institutions. An educational institution cannot ask a current or prospective student to grant access to, allow observation of, or disclose information that allows access to or observation of the individual’s personal Internet account. An educational institution also cannot expel, discipline, fail to admit, or otherwise penalize a current or prospective student for refusing to grant access to, allow observation of, or disclose information that allows access to or observation of a personal Internet account.
However, the Act does not prohibit an educational institution from requesting or requiring a student to disclose information to gain access to or operate (1) an electronic communications device paid for in whole or in part by the educational institution or (2) an account or service provided by the educational institution or used by the student for educational purposes. The Act also does not prohibit or restrict an educational institution from viewing, accessing, or using information about a student or applicant that (1) can be obtained without any required access information or (2) is available in the public domain.
A violation of the Act is a misdemeanor punishable by a fine of not more than $1,000. Individuals can sue to recover up to $1,000 in damages plus reasonable attorneys’ fees and court costs and injunctive relief.
Melinda A. Balian is a partner in the Detroit and Grand Rapids offices of Foley & Mansfield, focusing her practice in employment law and litigation. She also works extensively with health care professionals and organizations. For addition information or assistance, contact Melinda at email@example.com.