As noted by Dechert LLp, a New York state statute was adopted on March 12, 2024 which imposes restrictions on employers concerning the disclosure of means to access personal accounts via electronic devices under certain circumstances. This law, known as Assembly Bill A836 (“A836”), was signed by Governor Kathy Hochul on September 14, 2023. It highlights the tension between employees’ privacy rights and the Securities and Exchange Commission’s (SEC) emphasis on firms surveilling personal devices for compliance with SEC recordkeeping obligations. While A836 enhances privacy protections for employees, it prompts employers, particularly those subject to federal securities laws like registered investment advisers (RIAs) and broker-dealers, to consider its impact on policies and procedures, such as whatsapp call recording. Moreover, A836 may influence labor practices among New York employers, particularly in screening new hires and investigating potential employee misconduct. However, the statute has limitations that employers should be aware of, as discussed below.
A836 in Context
A836, which introduces Section 201-i to the New York Labor Law, aligns New York with 26 other states, including California and Illinois, that have enacted comparable provisions. Its enactment reflects growing concerns over privacy issues, mirrored by legislative efforts such as the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR).
Simultaneously, this legislation follows a series of enforcement actions by the SEC and Commodity Futures Trading Commission (CFTC) resulting in settlements with around 60 firms, totaling approximately $2.6 billion in fines. These actions stem from breaches of recordkeeping requirements outlined in Rule 17a-4(b)(4) and Rule 204-2(a)(7). While Rule 17a-4(b)(4) mandates broker-dealers to retain all business-related communications, Rule 204-2(a)(7) imposes narrower retention obligations on investment advisers. Both agencies interpret these rules to encompass “off-channel” communications, triggering violations when firms fail to preserve such communications, like whatsapp archiving, made through employees’ personal accounts or devices.
Notably, the SEC and CFTC found firms not only negligent in monitoring and retaining required communications but also lacking in reasonable supervision to prevent and detect violations. Consequently, some firms may have begun proactively monitoring employees for compliance, potentially including spot-checking personal devices for prohibited communications. However, A836’s restriction on employer access to employees’ accounts and devices complicates such efforts.
Binding Constraints
A836 broadly applies to all employers within New York, covering personal devices and accounts, with limited exceptions. It prohibits employers from:
- Requesting or requiring access credentials for personal accounts on electronic devices.
- Monitoring personal account access by employees.
- Reproducing materials from personal accounts obtained through prohibited means.
The definition of “personal account” encompasses various electronic media profiles used for personal purposes, including social media, messaging, and storage accounts. However, A836 does not prohibit employer access to communications made through business applications or mixed-use accounts. It also permits employers to request access to non-personal accounts associated with their internal systems and does not cover other data collection methods.
Employer Adjustments
A836 does not absolve employers of obligations under federal law or self-regulatory organizations concerning employee screening, monitoring, or retention of communications. Employers may need to adjust hiring procedures, ensuring compliance with A836 by refraining from coercing applicants into providing access to personal accounts. However, employers can still monitor employee for communications compliance by:
- Requesting access to business-related accounts provided by the employer.
- Requesting access to accounts used for business purposes, where the employer pays for the device and the employee acknowledges this condition.
- Complying with court orders.
- Accessing publicly available information.
- Internal Investigations
Employers must continue to investigate employee misconduct, but A836 restricts access to personal accounts. Exceptions allow access to accounts used for business purposes and publicly available information. Employers must carefully draft policies to comply with these provisions while maintaining their ability to investigate misconduct effectively.
Employee Rights and Protection
A836 prohibits adverse actions against employees who refuse to provide personal account access information. However, employers can discipline employees for violating policies related to business account access, provided fair notice is given.
Conclusion
A836 poses challenges for compliance with federal securities laws and labor regulations but should not hinder firms’ ability to meet legal obligations. Employers, especially RIAs and broker-dealers in New York, should review policies to ensure compliance with A836 while safeguarding against inadvertent disclosures. Communication and transparency with employees regarding access to business-related communications are crucial for compliance.
About TeleMessage
TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls WhatsApp, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice of archiving data storage vendor.
Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
