United States: Recently Adopted New York Statute Includes Restrictions Applicable To Asset Managers On Access To Some "Off Channel" Employee Communications

On September 14, 2023, New York Governor Kathy Hochul signed into law Assembly Bill 836 ("A836") prohibiting employers, in certain circumstances, from requesting or requiring access to employee personal accounts such as email, text and mobile apps like WhatsApp through electronic devices. A836, which goes into effect on March 12, 2024, also prohibits employers from discharging, disciplining, or failing to hire individuals who refuse to provide such access; however, the law is limited in its scope to personal accounts and also contains important exceptions discussed below. AB836 is incorporated within New York's labor law and applies to New York employees.

The law has recently drawn the attention of many asset managers because of its potential tension with the Securities and Exchange Commission's ("SEC") enforcement sweep that is focused on "off channel" business communications. The SEC has to date settled actions with more than 40 registrants for failing to retain business communications made through text messages, electronic messaging applications, and other "alternative" communication methods, often conducted using personal devices, which the SEC contends could be in breach of recordkeeping requirements under Rule 17a-4 ("Rule 17a-4"), adopted pursuant to the Securities Exchange Act of 1934 and applicable to broker dealers, and Rule 204-2(a)(7) ("Rule 204-2(a)(7)"), adopted pursuant to the Investment Advisers Act of 1940 and applicable to investment advisers. The CFTC has also brought and settled similar actions.

Ropes & Gray is monitoring developments and provides this update to help asset managers understand their obligations and properly assess their risk. Although this alert focuses on the law's applicability to asset managers and their recordkeeping obligations under federal securities laws, all employers conducting internal investigations or reviews of employee personal communications should also consider its restrictions in designing those reviews. It is also important to note that A836 is not an entirely new development. A836 was modeled on similar laws in states including California and Illinois restricting employer access to personal "social media" accounts that in some cases contain broad definitions making them applicable to personal email and other forms of electronic communication in many cases.¹ These laws similarly apply only to personal accounts rather than accounts used for business purposes and, like A836, include many pertinent exceptions.

If A836 restricts employers from requesting access to employee personal accounts, can asset managers still comply with the SEC's interpretation of its recordkeeping rules? Before pushing the panic button, asset managers should be aware that the reach of A836 is not as broad as it might at first seem: A836 only places restrictions on employers' ability to access accounts "used exclusively for personal purposes" and not accounts that are used to conduct business. Other exceptions related to regulatory compliance are also available. It is certainly possible to comply with both the SEC's interpretation of its recordkeeping rules and New York law, but care should be taken in designing those compliance programs.

Scope of A836: Restrictions Apply to Personal Accounts

A836 adds Section 201-i to the Labor Law and will prohibit employers from requesting, requiring, or coercing any current employees or job applicants to "disclose any username and password, password, or other authentication information for accessing a personal account through an electronic communications device" (emphasis added). The law also prohibits requiring access to the personal account in the presence of the employer and reproducing information obtained through such prohibited access.

In all cases, the restriction only applies to access to personal accounts, which exclude accounts utilized for business purposes. A836 does not restrict the collection of communications made using business applications, even if they are installed on personal devices. Likewise, A836 does not apply to mixed-use accounts used by an employee for both business and personal communications. "Personal account" is expressly defined as an account or profile "used by an employee or an applicant exclusively for personal purposes" (emphasis added). A836 further contains an express exemption clarifying that it does not apply to employer-provisioned accounts used for business purposes if the employee was informed of the employer's right to require access. In that regard, it is consistent with numerous other privacy laws, including in New York, permitting employer access to business-provisioned accounts but requiring advance notice to employees. E.g., N.Y. Civil Rights Law § 52-c.

Asset Managers Are Not Restricted from Complying with Duties to Retain Information Required by Duties to Monitor

A836 expressly does not restrict employers from complying with a duty to "monitor or retain employee communications that is established under federal law or by a self regulatory organization." The scope of that exemption has not yet been tested, but it should be interpreted to permit programs reasonably designed to facilitate compliance, even if they capture some communications not strictly falling within the duty to retain. A836 likewise provides an affirmative defense that the employer acted to comply with federal, state, or local law. Taken together, it is clear that A836 is not intended to prevent employers, such as asset managers, from taking steps reasonably necessary to ensure compliance with applicable legal requirements, including the SEC's recordkeeping rules. Asset managers should tailor their monitoring programs to ensure compliance with the law but should not assume that A836 is in direct conflict with the SEC rules.

Other Exemptions to A836 May Apply

A836 also contains other exceptions that may be applicable to particular types of data collection adopted by asset managers. Communications that can be obtained without the required authentication information, such as publicly available information, for example, are not subject to A836's restrictions. An employer is also permitted to view, access, or use information that is available without access information, exists in the public domain, or where access information to personal accounts were provided voluntarily for the purpose of obtaining reports of, or investigating, misconduct.

Asset Managers Should Structure Retention Programs to Ensure Compliance

Although A836 is unlikely to prevent asset managers from meeting their recordkeeping obligations under federal law, asset managers should continue to carefully evaluate the scope of their programs to ensure compliance. If they have not done so already, asset managers should ensure that employees receive notice regarding the potential need for access to personal accounts that are also used for business purposes. Similarly, asset managers should act with care in the event that an employee refuses to participate in a retention program applying to personal accounts, since A836, as well as other similar laws, potentially prohibits certain adverse employment actions resulting from a refusal to grant access to purely personal accounts. To ensure they fit within applicable exceptions and to address privacy risks arising in other contexts, asset managers may also assess steps to mitigate the risk of inadvertent access to personal communications by establishing clear protocols prior to their review.

Asset managers and other companies should also bear in mind that A836 does not directly impact existing case law on duties to preserve relevant communications. Even if employees use personal accounts, employers may still be deemed to have constructive control over their employee's preservation of such communcaitons.

Ropes & Gray will continue to monitor developments regarding A836, other state privacy laws and the SEC's recordkeeping rules.

Footnote

1. Arkansas (A.C.A. § 11-2-124), California (Cal. Labor Code § 980), Colorado (C. R. S. A. § 8-2-127), Connecticut (C. G. S. A. § 31-40x), Delaware (19 Del.C. § 709A), Hawaii (HRS §§ 487G-1 – 487G-8), Illinois (820 I.L.C.S. 55/10), Louisiana (LSA-R.S. 51:1951 – 51:1955), Maine (26 M. R. S. A. §§ 615 – 619), Maryland (MD Code, Labor and Employment, § 3-712), Michigan (M. C. L. A. 37.271 – 37.278), Montana (MCA 39-2-307), Nebraska (Neb. Rev. St. §§ 48-3501 – 48-3511), Nevada (N. R. S. 613.135), New Hampshire (N.H. Rev. Stat. § 275:74), New Jersey (N. J. S. A. 34:6B-5 – 34:6B-10), New Mexico (NMSA 1978, § 50-4-34), Oklahoma (40 Okl. St. Ann. §§ 173.2 – 173.3), Oregon (O. R. S. § 659A.330), Rhode Island (Gen. Laws, 1956, §§ 28-56-1 – 28-56-6), Tennessee (T. C. A. §§ 50-1-1001 – 50-1-1004), Utah (U.C.A. 1953 §§ 34-48-101 – 34-48-301), Vermont (21 V.S.A. § 495l), Virginia (VA Code Ann. § 40.1-28.7:5), Washington (RCWA 49.44.200 and 49.44.205), West Virginia (W. Va. Code, § 21-5H-1), and Wisconsin (W. S. A. 995.55).