As of today, March 12, 2024, a New York state statute, in certain circumstances, restricts employers “from requesting or requiring that an employee or applicant disclose any . . . means for accessing a personal account through specified electronic communications devices.” The law, Assembly Bill A836 (“A836”), signed by Gov. Kathy Hochul on September 14, 2023, brings to the forefront the tension between employees’ right to privacy and the Securities and Exchange Commission’s (“SEC”) focus on firms’ surveillance of personal devices for compliance with SEC recordkeeping obligations. Indeed, while A836 increases privacy protections for employees, employers—particularly those subject to the recordkeeping requirements under the federal securities laws, including registered investment advisers (“RIAs”) and broker-dealers—need to be mindful of how A836 may impact certain policies and procedures. A836 may also impact New York employers’ labor practices, particularly in screening new hires and investigating potential employee misconduct. Nevertheless, the statute contains key limitations in scope, discussed below, of which employers should remain aware.

I. Background on A836

A836, which adds Section 201-i to the New York Labor Law, places New York in conformity with 26 other states, including California and Illinois, which have enacted similar provisions.¹ The bill’s enactment coincides with a broad rise in concern over privacy issues and concomitant surge of privacy-focused legislation, not least amongst which are the California Privacy Rights Act and the European Union’s General Data Protection Regulation.²

At the same time, the legislation follows a flurry of recent enforcement actions brought by the SEC and Commodity Futures Trading Commission (“CFTC”) which, since December 2021, have cumulatively resulted in settlements with approximately 60 firms, totaling about $2.6 billion in fines.³ These actions were brought for breaches of the recordkeeping requirements created by Rule 17a-4(b)(4), under the Securities Exchange Act of 1934, and Rule 204-2(a)(7), under the Investment Advisers Act of 1940. Rule 17a-4(b)(4) generally requires a broker-dealer to retain all communications relating to its business.⁴ While Rule 204-2(a)(7) also imposes recordkeeping obligations on investment advisers, the rule is not as broad as Rule 17a-4(b)(4) in that it does not require retention of all communications relating to the adviser’s business. Rather, Rule 204-2(a)(7) limits the retention requirement to specifically prescribed categories of communications.⁵ Because the SEC and CFTC treat both rules as applicable to “off-channel” communications—i.e., those made not through official firm accounts or firm-approved platforms that capture and retain the communications, but rather through an employee’s personal accounts or devices, e.g., personal SMS messages—firms were charged with rule violations when they failed to preserve and monitor for such communications made through employees’ personal accounts.

Significantly, the SEC and CFTC found not only that the relevant firms failed to monitor for and retain required communications, but also that the firms failed to reasonably supervise employees such that violations could be prevented and detected. This was true even where firm policy clearly prohibited the use of off-channel communications. As such, some firms may have begun taking steps to monitor employees more proactively for compliance with off-channel communications policies, with one such measure potentially including to spot-check employees’ personal devices for evidence of prohibited communications. The enactment of A836, which limits employer access to employees’ accounts, devices, and communications, can complicate these efforts as discussed further below.

II. Noteworthy Restrictions

The New York legislation broadly applies, with very limited exceptions, to all employers, both public and private, within New York, and covers all employee personal devices and accounts.⁶ The statute renders it unlawful for an employer to request or require an employee or applicant to:

1. Disclose usernames, passwords, or authentication information used to access a personal account through an electronic communications device;
2. Access personal accounts in the presence of employers; and
3. Reproduce materials found within a personal account where the available material was obtained by prohibited means.

Under the legislation, a “personal account” is defined broadly as an electronic medium profile where users create, share, and view user-generated content. This includes social media profiles, photo and video storage, instant messaging accounts, and profiles that are used by an individual for purely personal purposes. Employer access to these personal accounts is largely restricted regardless of the device used to access the accounts, including when the device is employer provided.

However, the scope of A836 is limited in several key respects. Importantly, A836 applies only to purely personal accounts, and the statute does not prohibit the collection of communications made using business applications, even when such applications are installed on personal devices. Similarly, mixed-use accounts containing both business and personal communications are not covered. A836 also expressly permits employers to request passwords for non-personal accounts that provide access to the employer’s internal computer or information systems. Further, A836 protects only account access information and does not cover other methods of data collection by employers.

As such, employers may continue to monitor and restrict data usage and internet traffic within their facilities without running afoul of the law.

III. Considerations for Employers

A836 is explicit that its provisions do not alleviate employers from any duty to “screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self regulatory organization.”⁷ To that end, A836 creates an affirmative defense when the employer acted to comply with the requirements of a federal, state, or local law. While the scope of these provisions, and their interplay with the other remainder of A836, remains uncertain, covered entities must continue to take into consideration their legal obligations, including those under the federal securities laws and labor laws.

A. Hiring

When it comes to hiring, employers may need to adjust their procedures for screening job applicants. Employers who conduct social media screening of prospective employees cannot request or require access to the personal accounts of job applicants nor can they require job applicants to access those accounts in the employer’s presence. However, an employer may view information on an applicant’s social media account if the account is available publicly or the applicant voluntarily allows the employer access to their accounts by, for example, accepting a request from the employer to connect as a “friend” or “follower.” Critically, employers must not pressure, require, or coerce job applicants into allowing the employers to access such accounts.

B. Monitoring Communications

Employers may—and often should—continue to monitor employee communications for compliance purposes and nothing in A836 prohibits employers from engaging in the following:

1. Requesting or requiring access to employee accounts known to the employer to be used for firm business.
2. Requesting or requiring an employee to disclose usernames and passwords where (i) the employer provided the concerned account; (ii) the account was used for business purposes; and (iii) the employee was on notice of the employer’s right to access that information.
3. Accessing employee devices paid for in whole or in part by the employer, so long as (i) the provision of payment was conditioned on the employer’s right to access the device; (ii) the employee had fair notice and explicitly agreed to such a condition; and (iii) the employer does not access solely personal accounts contained on the device.
4. Complying with court orders necessitating access to employee accounts.
5. Accessing publicly available information about employees, including private information employees voluntarily share with their employers.C. Internal Investigations

Employers have a continuing obligation to investigate employee misconduct. In some instances, this may require the employer to review communications or information contained in employees’ accounts or devices. Due to the restrictions imposed by A836, employers may need to review their policies and procedures for conducting such investigations to ensure compliance with this new legislation.

As noted above, A836 protects accounts used exclusively for personal reasons by significantly restricting an employer’s access. There are important exceptions to A836 to help ensure employers can comply with their legal obligations, particularly as it relates to investigating employee misconduct. For example, an employer is permitted to access employee accounts known to the employer to be used for firm business and to access information from publicly available sources or that which is voluntarily shared by an employee, third party, or client. Additionally, an employer can take steps to obtain access to additional business communications by providing express notice to its employees of the employer’s right to access the communications. This includes instances where: (1) the employer is seeking access to an account it provided to the employee to be used for business purposes; and (2) the employer pays for, in whole or in part, the employee’s device and the employee agrees that such payment is conditioned on the employer’s right to access the device. In the latter instance, the employer is prohibited from accessing solely personal accounts on the device.

IV. Protection from Adverse Employment Actions

Under A836, an employer cannot engage in specified adverse employment actions because of an employee or job applicant’s refusal to provide log-in information for their personal accounts. Specifically, employers may not discharge, discipline, or otherwise penalize employees or refuse to hire job applicants because of such refusal.

An employer may, however, terminate or discipline an employee who fails to adhere to a policy requiring employer access to accounts used for business purposes, including accounts on personal devices, so long as the employee is provided prior notice of the employer’s right to request or require such access. An employer also may discipline an employee for accessing prohibited websites while using a device paid for in whole or in part by the employer where the provision or payment for the device was conditioned on the employer’s right to restrict such access and the employee was given prior notice of such conditions and explicitly agreed to them. Nevertheless, employers should ensure internal policies are narrowly drafted to not be overinclusive of the purely personal accounts protected under A836.

V. Conclusion

A836, while complicating the landscape for both compliance with federal securities law and labor laws, is unlikely to prevent firms from complying with their state and federal legal obligations. Nevertheless, New York employers, particularly RIAs and broker-dealers, should remain mindful of the new restrictions this legislation will impose.

In light of A836 taking effect today, New York employers should review their policies and procedures (including but not limited to those policies on hiring, social media usage, investigation of misconduct, monitoring of communications, and retaliation) for purposes of:

1. Identifying potential conflicts with the terms of A836;
2. Providing safeguards against the inadvertent disclosure of information derived from protected accounts; and
3. Prohibiting retaliation against an employee for failing or refusing to provide access information to their personal accounts.

Finally, where required, employers should be sure to clearly notify employees of the employer’s ability to access certain business information and communications, including those on an employee’s personal device, as well as non-personal accounts that are maintained on a device that is provided or paid for by the employer.

These policies should be narrowly drafted to help protect employers from improperly accessing an employee’s purely personal accounts protected under A836. Moreover, when designing compliance policies, employers must carefully balance the constraints imposed by recent privacy laws with their ongoing regulatory obligations.

* The authors would like to thank Sierra Sanchez for her contributions to this OnPoint.

1. Arkansas (Ark. Code Ann. § 11-2-124), California (Cal. Lab. Code § 980), Colorado (Colo. Rev. Stat. § 8‑2‑127), Connecticut (Conn. Gen. Stat. § 31-40x), Delaware (Del. Code Ann. tit. 19, § 709A), Hawaii (Haw. Rev. Stat. §§ 487G-1 to -8), Illinois (820 Ill. Comp. Stat. 55/10), Louisiana (La. Stat. Ann. §§ 51:1951–1955), Maine (Me. Stat. tit. 26, §§ 615–619), Maryland (Md. Code Ann., Lab. & Empl., § 3-712), Michigan (Mich. Comp. Laws Ann. §§ 37.271–.278), Montana (Mont. Code Ann. § 39-2-307), Nebraska (Neb. Rev. Stat. §§ 48-3501 to ‑3511), Nevada (Nev. Rev. Stat. § 613.135), New Hampshire (N.H. Rev. Stat. Ann. § 275:74), New Jersey (N. J. Stat. Ann. §§ 34:6B‑5 to -10), New Mexico (N.M. Stat. Ann. § 50-4-34), Oklahoma (Okla. Stat. tit. 40, §§ 173.2–.3), Oregon (Or. Rev. Stat. § 659A.330), Rhode Island (R.I. Gen. Laws, §§ 28-56-1 to -6), Tennessee (Tenn. Code Ann. §§ 50‑1‑1001 to -1004), Utah (Utah Code Ann. §§ 34-48-101 to ‑301), Vermont (Vt. Stat. Ann. tit. 21, § 495l), Virginia (Va. Code Ann. § 40.1‑28.7:5), Washington (Wash. Rev. Code §§ 49.44.200, .205), West Virginia (W. Va. Code § 21-5H-1), and Wisconsin (Wis. Stat. § 995.55).
2. See generally Fredric D. Bellamy & Ashley N. Fernandez, A New Era of Privacy Laws Takes Shape in the United States, Reuters (Nov. 15, 2023), https://www.reuters.com/legal/legalindustry/new-era-privacy-laws-takes-shape-united-states-2023-11-15/.
3. For CFTC enforcement actions, see Press Release, CFTC Releases FY 2023 Enforcement Results (Nov. 7, 2023), https://www.cftc.gov/PressRoom/PressReleases/8822-23. For SEC enforcement actions, see Press Releases, https://www.sec.gov/news/press-release/2024-18 (Feb. 9, 2024); https://www.sec.gov/news/press-release/2023-212 (Sept. 29, 2023); , https://www.sec.gov/news/press-release/2023-149 (Aug. 8, 2023); https://www.sec.gov/news/press-release/2023-91 (May 11, 2023); https://www.sec.gov/news/press-release/2022-174 (Sept. 27, 2022); https://www.sec.gov/news/press-release/2021-262 (Dec. 17, 2021).
4. 17 C.F.R. § 240.17a-4(b)(4).
5. Specifically, Rule 204-2(a)(7) requires RIAs to retain “[o]riginals of all written communications received and copies of all written communications sent by such investment adviser relating to”: (1) any recommendations made or proposed to be made and any advice given or proposed to be given; (2) the receipt, disbursement or delivery of funds or securities; (3) the placing or execution of orders to purchase or sell securities; and (4) predecessor performance. 17 C.F.R. § 275.204-2(a)(7).
6. A836 exempts three categories of public employers from its restrictions: (i) law enforcement agencies; (ii) fire departments; and (iii) departments of corrections and community supervision. N.Y. Lab. Law § 201-i(6).
7. N.Y. Lab. Law § 201-i(5)(b).