A new law that employers should pay attention to is that gathering information from personal accounts is prohibited in New York. Communication between employer and employee is being re-examined since COVID across the globe. Changes will be made into law. Stay informed.

Craig Smith

Helping organisations share the ‘Big Picture’ with their people | Owner of The Big Picture People | Podcaster | July 15, 2020

There are precious few positives to have come out of the COVID-19 pandemic. However, all those weeks working from home have made everyone think differently about work-life balance and what is truly important. Many sectors have seen a widespread mindset change, which companies will need to address and, more importantly, embrace.

A once-in-a-lifetime opportunity for business

As we start to move back into the real world, this change in priorities gives forward-thinking companies a golden opportunity to scrutinise and re-evaluate their working practices and, where necessary, bring about significant organisational change. Post-crisis will be a time to re-connect with every employee, welcome as many of them back as possible, and re-focus on the core values of the business. For some companies, those core values may have changed. Vision statements may need some revision. To get everyone on board, employees will need to know why changes are needed, how they will be implemented and how this will affect their role within the business.

Challenges to effective communication

Obviously, not all organisations will still have the same workforce. Skills gaps will be an issue for many, leading to a serious challenge to any effective communication in the workplace. All businesses will have to define their new normal and communicate this effectively to their workforce. But how? If your organisation is going to be ready, now is the time to start planning your post-COVID communication strategy.

The limitations of online communication

Do ongoing social distancing measures mean that working from home will become the norm? Hopefully not, at least not every day. We know that communication in the workplace will have to change. However, while many organisations – and their employees – will have recognised the benefits of remote, flexible working and online communications, they have also discovered their limitations. How many of us are experiencing Zoom fatigue? Meeting up on screen is useful in a crisis but many people find it flat and socially awkward. Speech is unnatural and stilted, while the camera is a distraction as we tend to sit and look at ourselves. We miss out on participants’ body language and those all-important social signals. It cannot give us the same experience and it is simply not as productive as the real thing.

Simple pleasures

What have we all missed most in lockdown? Invariably, it is meeting up with family, coffee with friends, a night out at the pub. One thing that isolation has taught us is how much we need real human contact. Sales of board games have rocketed during the crisis as families re-connect with each other, shunning TV and gadgets in favour of enjoying simple pleasures together. Games are synonymous with connection, togetherness and family times like Christmas and birthdays. This type of fun, light-hearted interaction and visual communication will be a hugely important part of bringing workforces back together. Tools such as learning maps and interactive games transcend age, gender and hierarchical barriers. They are a sociable, gentle, yet highly-effective way of getting a message across.

Benefits of offline communication

We are, essentially, social animals. At work, we need people around us, not just for a quick chat about last night’s TV but, more importantly, for our productivity, engagement and mental wellbeing. Working in a bubble has been shown to have a long-term impact on mental health, which is why Wellbeing is set to be the number one priority as companies return to work. Without real, human-to-human interaction, we lose our sense of belonging, leading to a sense of disorientation and unhappiness. As humans, we thrive on social contact and the energy, buzz and spontaneity of being with people. With colleagues around us, there is always someone there to bounce ideas off, to inspire thoughts, actions and ideas. Human interaction sparks innovation and meaningful communication. For reintegration to be successful, it is going to need this human touch. Face-to-face wins hands down.

A sense of community

Another important lesson has been how much we have pulled together within our communities. Friendliness, kindness, compassion, and philanthropy have been the order of the day. All of these are expressed through human contact, even if it is through a window or 2 metres apart. As we return to work, businesses need to be mindful, and incorporate this feeling of community. The public’s change in mindset means that values have shifted. Our workplaces also need to reflect these changes.

Moving forward – offline

We have all proved that we can function remotely and online, and this may still have its place as we transition into a post-COVID world. However, just because we can does not mean that we should. Just as there is a big difference between existing and living, there is a world of difference between functioning as an employee and being happy, engaged and motivated. Our enforced isolation has shown that we are adaptable, that change is achievable. But what it has highlighted most is the real, unquestionable value of human-to-human communication.

New York Enacts Prohibition Against Employers Collecting Employee Communications from Personal Accounts

Authors Patrick F. Linehan, Shannon Reid, Steptoe.com

January 19, 2024

Amid the reporting of the newest round of settlements by broker-dealers and financial advisers in late September for employee engagement in off-line business communications, last month also saw New York Governor Kathy Hochul sign legislation (A.836) prohibiting employers from requesting that employees or job applicants disclose the login information—such as usernames and passwords—to their personal online or electronic accounts. The new law, which takes effect on March 12, 2024, also prohibits employers from retaliating against employees or applicants who refuse to provide login information to their personal accounts. As a result of this legislation, New York employers that routinely rely on information they obtain by accessing employees’ or applicants’ personal accounts when conducting internal investigations or responding to Government inquiries may need to adjust their investigative approach.

Expressly, under A.836, employers are prohibited from requesting, requiring, or coercing any employee or applicant to:

• disclose their username, password, authentication information, or any other information used to access their personal account(s) via an electronic communications device;
• access their personal account(s) in the employer’s presence; or
• reproduce in any manner photographs, video, or other information contained within a personal account obtained by means prohibited under the law.

“Personal account” is defined as “an account or profile on an electronic medium where users may create, share, and view user-generated content, including uploading or downloading videos or still photographs, blogs, video blogs, podcasts, instant messages, or internet website profiles or locations that is used by an employee or an applicant exclusively for personal purposes.”

Generally, “employer” is defined as any “person or entity engaged in a business, industry, profession, trade or other enterprise” in New York as well as state or local public and/or governmental agencies in New York (“Subject Companies”). The law does not apply to law enforcement agencies.

There are a few exceptions for Subject Companies under the new law, which permit them to seek access to personal accounts if:

• necessary to comply with a court order or federal, state, or local law;
• needed to access the employer’s internal computer or information systems (“nonpersonal account”);
• the account was provided by the employer and is used for business purposes, and the employer provided prior notice of its right to access the account; or
• the employer knows the account is being used for business purposes.

Subject Companies are also permitted to access electronic communications devices or restrict access to their networks on electronic communications devices that they pay for—in whole or in part—when the payment was conditioned on the Subject Companies’ access rights. However, Subject Companies may not access any personal accounts on these devices.  Additionally, the law does not prevent Subject Companies from accessing personal account information that is publicly available or provided voluntarily.

Notably, A.836’s exceptions do not include an exception for conducting internal investigations aimed at possible voluntary disclosures of illegal conduct to the Department of Justice or other securities regulators (i.e., SEC, CFTC and FINRA).

A.836 is scheduled to take effect in March 2024. With that effective date in mind, Subject Companies regulated by the SEC, CFTC or FINRA will need to update their privacy, technology, and communications policies and prepare to navigate a more challenging landscape for obtaining important information about employees and applicants. Although the law’s “federal, state or local law” exception leaves unclear whether responding to a formal subpoena falls within that exception or whether a court order compelling a response to the subpoena will be needed, A.836 will likely result only, at worse, in delays in responding to subpoenas, to the extent the law is construed to require a court order.  However, given the potential for delayed subpoena responses, A.836 could result in subpoenas issued directly to the individual employees whose off-line communications are sought in addition to the Company itself (at least where the Subject Company is unaware that the individual is using his/her personal account to conduct business).  This could, in turn, result in the Subject Company under investigation having to provide such employees with separate counsel to assist with the employees’ subpoena responses.  Having numerous individuals respond to separate subpoenas could in turn make it difficult for the Subject Companies to maintain information symmetry with the regulator.

Notwithstanding A.836’s exception for legally-required responses, the SEC and the CFTC often proceed with investigations using informal letters of inquiry.  These letters lack compulsory force, and companies only respond to them voluntarily and in the spirit of cooperation.  Likewise, FINRA letters seeking information, at least upon initial issuance, also lack the force of law. Accordingly, Subject Companies receiving such letters of inquiry will likely be prohibited from searching employees’ personal devices and email accounts in response to them. Thus, the SEC/CFTC may instead proceed more often with formal subpoenas against Subject Companies and their implicated employees.

The law does contain an exception for some self-regulatory-organization-related activity, including an employer’s “compl[iance] with a duty … to monitor or retain employee communications, that is established under federal law or by a self-regulatory organization, as defined in section 3(a)(26) of the securities and exchange act of 1934….”  However, while the federal securities laws’ books and records requirements request the maintenance of business records for certain time periods, including employees’ business-related communications, it is far from clear whether those laws “establish” a requirement that companies “monitor” employees’ off-line communications to do so, or whether the duty to retain employee communications encompasses a duty to search employees’ off-line communications without cause. At best, this exception raises more questions than answers, and Subject Companies are advised to tread carefully when relying upon this exception.

The new law will also likely frustrate Subject Companies’ internal investigation efforts, where compliance with federal, state or local law is not an issue. This enactment could not only hinder companies’ ability to detect illegal or otherwise non-compliant conduct by its employees, but it could also chill Subject Companies’ ability to avail themselves of the leniency and cooperation credit benefits conferred by voluntary self-disclosures to the federal government (which are by definition “voluntary,” and not necessary to comply with federal, state or local law) under current DOJ, SEC and CFTC enforcement guidance.

In any event, Subject Companies will need to adjust their recordkeeping and off-line communications policies and procedures to address the potential impact of A.836 when it kicks in in March. Ways in which Subject Companies can do this include:

Continuing to Strengthen Off-Line Communication Controls. This includes technological improvements in monitoring communications involving non-Company email addresses, strengthening disciplinary measures against employees upon discovery of their engagement in off-line communications for conducting business, frequent and documented employee training, and an environment that encourages – or at least does not discourage – the internal reporting of violations of the Subject Company’s prohibitions on off-line communications.  Given A.836’s exception for the personal accounts of employees that the Company knows has been using them for business communications, Subject Companies should implement technological solutions that detect business communications occurring in its system that involve emails with common personal email account domain names, like gmail.com, hotmail.com, aol.com, yahoo.com, icloud.com, and the like. These controls would enable firms to require employees to provide access to their offline accounts under this exception.

Incentivizing  Employee Consent to Access Personal Data. Subject Companies can put in place incentives to obtain employees’ consent to view their personal cell phones, devices, and email accounts.  For example, they could allow personal phones in the office only if such consent is given or offer financial incentives to employees for providing their consent. When formulating such incentives, however, Subject Companies must also be careful not to implement coercive policies lest they run afoul of A.836’s restrictions.

Moreover, to the extent any Subject Companies have put in place policies and procedures that require employees to turn over personal devices or email accounts as part of their remediation in connection with their settlements with the SEC or CFTC, they may need to revisit those policies and procedures. The independent compliance consultants assigned as part of these SEC/CTFC settlements will also need to keep the restrictions of A.836 in mind when advising settling companies going forward.

Non-New York-Based Companies Must Tailor Their Off-Line Communications Policies For New York-Based Employees.  By its terms, A.836 applies, in relevant part, to any employer “engaged in a business, industry, profession, trade or other enterprise” in the State of New York, including any agent, representative, or designee of the employer.  This new law would include any Company operating outside the State of New York that has employees working in the State. These Subject Companies must carefully build into its policies and procedures specific provisions uniquely tailored to the new restrictions applicable to New York employees under A.836.