On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices. The new law amends the state’s civil rights law and takes effect on May 7, 2022.
According to the memorandum submitted by the New York State legislature in support of the bill, one reason for the notice requirement is to “protect[] employee privacy by making sure that [employees] understand the consequences of inappropriate internet activity.” The statute also purports to support businesses by permitting them to “retain the right to monitor computer usage, simply with the stipulation that employees are informed of surveillance practices. This knowledge will increase transparency within the organization and help to avoid lawsuits and litigation regarding invasion of privacy.”
A summary of the key provisions and requirements is below.
Who is covered?
All employers—regardless of size—with a place of business in New York are covered. The statute defines employers to include any individual, corporation, partnership, firm, or association, but does not include state entities. The law applies to any employer who “monitors or otherwise intercepts telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage of or by an employee by any electronic device or system.”
What must covered employers do?
Employers covered by this law must provide prior written notice upon hire to all employees who are subject to electronic monitoring and obtain employees’ acknowledgment of the notice in writing or electronically. Employers are not expressly required to distribute the notice to current employees. A notice of electronic monitoring must also be posted “in a conspicuous place which is readily available for viewing by its employees who are subject to electronic monitoring.”
What should the notice say?
The written notice must advise employees that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.”
Who should receive the notice?
Because the notice requirement is not limited to only employees who use company-issued computers or devices, any employees who use a personal device to transmit e-mail or other communications through a company server should receive the notice as well. However, the statute does not address which types of workers are considered “employees” and whether remote workers who do not live in New York are entitled to receive the notice.
What processes are not covered by this law?
Significantly, the notice requirement does not apply to “processes that are designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.” In other words, electronic monitoring practices that do not target any individual and are conducted solely for system maintenance or protection purposes (such as general monitoring for malicious software) are not covered by this law.
Who can enforce the law and what are the potential penalties?
The New York State Attorney General has exclusive authority to enforce the law and may penalize businesses that fail to comply with the law by imposing a maximum civil penalty of $500 for a first offense, $1,000 for a second offense, and $3,000 for each subsequent offense. The law does not include a private right of action.
When does the law take effect and what must covered employers do?
Once the law takes effect on May 7, 2022, businesses should inform employees of electronic monitoring by distributing a notice and acknowledgment form or by adding such a notice to any existing employee handbook, receipt of which should be acknowledged by each employee. Moreover, businesses will need to post the notice of electronic monitoring so that it can be viewed by employees.