39-2-307. Employer access limited regarding personal social media account of employee or job applicant -- conditions for exceptions -- employer retaliation prohibited -- penalties. (1) Except as provided in subsection (2), an employer or employer's agent may not require or request an employee or an applicant for employment to:
(a) disclose a user name or password for the purpose of allowing the employer or employer's agent to access a personal social media account of the employee or job applicant;
(b) access personal social media in the presence of the employer or employer's agent; or
(c) divulge any personal social media or information contained on personal social media.
(2) An employee shall provide, if requested, to an employer or employer's agent the employee's user name or password to access personal social media when:
(a) (i) the employer has specific information about an activity by the employee that indicates work-related employee misconduct or criminal defamation, as provided in 45-8-212;
(ii) the employer has specific information about the unauthorized transfer by the employee of the employer's proprietary information, confidential information, trade secrets, or financial data to a personal online account or personal online service; or
(iii) an employer is required to ensure compliance with applicable federal laws or federal regulatory requirements or with the rules of self-regulatory organizations as defined in section 3(a)(26) of the Securities and Exchange Act of 1934, 15 U.S.C. 78c(a)(26); and
(b) an investigation is under way and the information requested of the employee is necessary to make a factual determination in the investigation.
(3) Nothing in this section:
(a) limits an employer's right to promulgate and maintain lawful workplace policies governing the use of the employer's electronic equipment, including a requirement for an employee to disclose to the employer the employee's user name, password, or other information necessary to access employer-issued electronic devices, including but not limited to cell phones, computers, and tablet computers, or to access employer-provided software or e-mail accounts;
(b) prevents an employee from seeking injunctive relief in response to the provisions of subsection (2); or
(c) prevents the prosecution of a person for violating privacy in communications under 45-8-213.
(4) An employer may not discharge, discipline, threaten to discharge or discipline, or otherwise retaliate against an employee or job applicant for not complying with a request or demand by the employer that violates this section.
(5) (a) As used in this section, "personal social media" means a password-protected electronic service or account containing electronic content, including but not limited to e-mail, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, internet website profiles or locations, and online services or accounts, including password-protected services or accounts to which an employee may post information, data, or pictures.
(b) The term does not include a social media account that is:
(i) opened for or provided by an educational institution and intended solely for educational purposes; or
(ii) opened for or provided by an employer and intended solely for business-related purposes.
(6) (a) An employee or an applicant for employment may bring an action against an employer for violating this section within 1 year in a small claims court. An employee or an applicant for employment may also have a cause of action under 45-8-213.
(b) Damages are limited to $500 or actual damages up to the limit provided in 3-10-1004. Legal costs may be awarded to the party that prevails in court.
(7) If an employer gains information improperly under this section and subsequently is involved in a computer security breach as provided in 30-14-1704, the employer is subject to penalties under 30-14-142.