Any employers with workers in New York face a rapidly approaching deadline to notify and collect employees’ signed acknowledgments relating to employers’ employee electronic monitoring activities.

Deadline and Enforcement

The New York Attorney General’s Office will begin enforcing the new law on May 7, 2022.  Potential penalties for violations range between $500 for a first offense and up to $3000 for three or more offenses. Fines are per violation, i.e. per employee, so aggregate penalties under this format for even medium-sized employers may be significant for companies that ignore this obligation.

Notice Requirements

New York employers must provide notice to covered employees that discloses any activities to monitor employees’ email, phone, or internet usage.  Specifically, employers must notify employees that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system including, but not limited to, the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems may be subject to monitoring at any and all times and by any lawful means.”

Employer policies or notices should include the statute’s exact language, as listed above, and any separate acknowledgement should expressly reference or recite the same. Employers should distribute notices among employees as soon as possible to ensure compliance by May 7. This also applies to any new hires, for whom the law also requires covered employers to secure signed acknowledgments of the notice. Acknowledgments are not required for existing employees.

Finally, employers should post the same notice in a conspicuous location in the workplace and/or company intranet that is accessible to employees.

Other Housekeeping

To avoid enforcement headaches, employers should keep accurate records of each employee’s notice and acknowledgement. If employees or other measures are not subject to the monitoring activities described in the statute, employers should separately create a paper record to memorialize as much in the event of any later audit or investigation.  This includes activities the law exempts, specifically “processes that are designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual, and that are performed solely for the purpose of computer system maintenance and/or protection.”  Employers should work with their IT, human resources, and information security departments to fully understand where or how the law may apply.

Despite the relatively straightforward statutory language and notice requirement, employers should work with legal advisors to ensure they are prepared to comply with the new law, including any policy or recordkeeping requirements, or to manage related employee issues.  Please reach out to the authors or a member of Nelson Mullins’ Employment and Labor or Cybersecurity & Data Privacy teams with any questions.