On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices.  The new law amends the state’s civil rights law and takes effect on May 7, 2022.

According to the memorandum submitted by the New York State legislature in support of the bill, one reason for the notice requirement is to “protect[] employee privacy by making sure that [employees] understand the consequences of inappropriate internet activity.”  The statute also purports to support businesses by permitting them to “retain the right to monitor computer usage, simply with the stipulation that employees are informed of surveillance practices. This knowledge will increase transparency within the organization and help to avoid lawsuits and litigation regarding invasion of privacy.”

A summary of the key provisions and requirements is below.

Who is covered?

All employers—regardless of size—with a place of business in New York are covered. The statute defines employers to include any individual, corporation, partnership, firm, or association, but does not include state entities.  The law applies to any employer who “monitors or otherwise intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system.”

What must covered employers do?

Employers covered by this law must provide prior written notice upon hire to all employees who are subject to electronic monitoring and obtain employees’ acknowledgment of the notice in writing or electronically. Employers are not expressly required to distribute the notice to current employees.  A notice of electronic monitoring must also be posted “in a conspicuous place which is readily available for viewing by its employees who are subject to electronic monitoring.”

What should the notice say?

The written notice must advise employees that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.”

Who should receive the notice?

Because the notice requirement is not limited to only employees who use company-issued computers or devices, any employees who use a personal device to transmit e-mail or other communications through a company server should receive the notice as well. However, the statute does not address which types of workers are considered “employees” and whether remote workers who do not live in New York are entitled to receive the notice.

What processes are not covered by this law?

Significantly, the notice requirement does not apply to “processes that are designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.” In other words, electronic monitoring practices that do not target any individual and are conducted solely for system maintenance or protection purposes (such as general monitoring for malicious software) are not covered by this law.

Who can enforce the law and what are the potential penalties?

The New York State Attorney General has exclusive authority to enforce the law and may penalize businesses that fail to comply with the law by imposing a maximum civil penalty of $500 for a first offense, $1,000 for a second offense, and $3,000 for each subsequent offense. The law does not include a private right of action.

When does the law take effect and what must covered employers do?

Once the law takes effect on May 7, 2022, businesses should inform employees of electronic monitoring by distributing a notice and acknowledgment form or by adding such a notice to any existing employee handbook, receipt of which should be acknowledged by each employee. Moreover, businesses will need to post the notice of electronic monitoring so that it can be viewed by employees.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”