Hepler Broom, LLC

Expanding Prohibitions on Accessing Applicants’ and Employees’ Personal Online Accounts: An Amendment to Illinois’ Right to Privacy in the Workplace Act

April 19, 2017

Does your company monitor its network or devices for network security or data confidentiality? Does your company have any policies or practices that seek access to any employees’ personal online accounts? If so, a recent amendment to Illinois’ Right to Privacy in the Workplace Act (“Act”) may require your company to adopt or revise its policies or practices to comply with the law.

Expands the scope of protected content. The amendment has shifted the focus from social networking accounts or profiles to personal online accounts (POAs). A POA is “an online account, that is used by a person primarily for personal purposes.”[1] Thus, the amendment provides much broader coverage and will likely enable the Act to encompass the emergence of any new online accounts.

Increases the list of prohibited inquiries or activities. The amendment provides a new list of prohibited inquiries and activities, accounting for additional ways of accessing online accounts. For example, employers may not “require or coerce an employee or applicant to invite the employer to join a group affiliated with” the employee’s/applicant’s POA, “to join an online account established by the employer,” or to add the employer to a list of contacts that enables access to the employee’s/applicant’s POA.[2] Section 10 now also contains anti-retaliation provisions.[3]

Expounds upon what activities are not prohibited. The Act now specifies that employers may request or require employees or prospective employees to share specific content under certain circumstances. For example, specific content may be requested to investigate an allegation of an unauthorized transfer of “proprietary or confidential information or financial data” or to prohibit operation of a [POA] “during business hours, while on business property, while using an electronic communication device supplied by, or paid for by, the employer, or while using the employer’s network or resources.”[4] Additionally, the amendment specifies that an employer will not be liable for inadvertently receiving means to access a POA as a result of monitoring its network or devices for network security or data confidentiality unless it accesses (or enables a third party to access) the employee’s or prospective employee’s POA or fails to delete that information as soon as reasonably practicable. If network monitoring technology is likely to inadvertently receive such information, “the employer shall make reasonable efforts to secure that information.”[5]

If you would like additional information on how this law might affect you or your business, please contact Julieta A. Kosiba at (217) 993-7145 or  Julieta.Kosiba@heplerbroom.com .

[1] Right to Privacy in the Workplace Act, 820 Ill. Comp. Stat. 55/10(b)(6)(B) (2016).

[2] Id. § 55/10(b)(1)(C)-(D).

[3] Id. § 55/10(b)(1)(E)-(F).

[4] Id. § 55/10(b)(3)(C).

[5] Id. § 55/10(b)(4).