Cal-Peculiarities: How California Employment Law is Different 2022 Edition

70 | 2022 Cal-Peculiarities ©2022 Seyfarth Shaw LLP  www.seyfarth.com the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. ” 40 4.8.3 Social media password and access protections California employers must not request or require employees or job applicants to divulge personal social media account information. The term “social media” broadly encompasses all digital or electronic content, including videos, photographs, blogs, podcasts instant-text messages, email, on-line services or accounts, and internet website profiles . 41 Specifically, employers must not ask or demand that employees or applicants (1) disclose user name or account password access to access a personal social media account, (2) access personal social media in the employer’s presence, or (3) divulge any personal social media . 42 E mployers must not take any adverse action for refusing or failing to comply with such a request or deman d. 43 Employers still may, however, ask employees to divulge personal social media reasonably believed to be relevant to investigating suspicions of employee misconduct or violations of law, so long as the employer uses the social media solely for that or a related investigation or proceeding . 44 A nd employers can still request this information for the purpose of accessing an employer-issued electronic device . 45 4.8.4 Other personal information The Court of Appeal has upheld an employee’s right to sue her employer on the basis that her supervisor had informed the workforce that the employee suffered from bipolar disorder. Although the defendant won summary judgment against this claim for invasion of privacy—on the ground that the alleged disclosure was oral only and not reduced to a writing—the Court of Appeal reversed, holding that “disclosure in a writing is not required to maintain a cause of action for public disclosure of private facts. ” 46 4.9 Security of Personal Information 4.9.1 Reasonable security California businesses owning or licensing any personal information have an affirmative obligation to implement and maintain reasonable security procedures to protect the personal information from unauthorized access, destruction, use, modification, or disclosure . 47 F ailure to implement such reasonable security can subject the employer to class action liability up to $750 per impacted employee per inciden t. 48 Additionally, such failure can trigger civil monetary penalties ranging from $2,500 for each violation to $7,500 for each intentional violation . 49 I t is important to note that the scope of this obligation is broader than the breach notice obligation. The affirmative obligation around reasonable security is for “personal information.” Breach notice obligations only apply to “computerized data.” Thus the “reasonable security” obligation applies to both off-line data as well as on-line data. Similarly, the monetary liability will apply to both off- and on-line data. 4.9.2 Duty to provide notice of security breaches California businesses owning or licensing any computerized data including unencrypted (and, in some instances, encrypted) personal information must, upon breach of the security of that information, notify the affected persons “in the most expedient time possible and without unreasonable delay. ” 50 Among the items considered protected information are medical information and health insurance information . 51 California mandates a special format for the notice to individuals affected by a breac h. 52 The notice must be in plain language and must be titled “Notice of Data Breach. ” 53 T he notice must use at least 10-point font and include the following “clearly and conspicuously displayed” headlines: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information. ” 54 The relevant statute also includes a template notice of breach that will “be deemed to be in compliance with” these new format requirements . 55