Asset Managers’ Obligations under New York’s New Social Media Law

December 20, 2023

On September 14, 2023, Governor Kathy Hochul signed Assembly Bill 836 (A836) into law, restricting New York employers, including asset managers, access to prospective or current employees’ personal, private social media accounts. The law aims to protect employee privacy and prevents employers from taking adverse actions against individuals who refuse to provide such access. An earlier post discusses the key changes under the new law in more detail.

For asset managers, of particular concern is the potential conflict between A836 and the Securities and Exchange Commission’s (SEC) enforcement efforts focused on “off channel” business communications. The SEC has settled actions with several registrants for failing to retain business communications made through alternative methods, including text messages and electronic messaging applications. The SEC asserts such failures could be in breach of recordkeeping requirements under federal securities law. Because A836 restricts employers from requesting access to employee personal accounts, it raises the question of how asset managers can comply with both the SEC’s recordkeeping rules and the new New York law.

Compliance with the SEC’s rules and A836 is possible because of A836’s limited scope and its exceptions related to regulatory compliance. First, A836 applies only to personal accounts used “exclusively for personal purposes,” excluding accounts for business or mixed-use purposes. The law also expressly exempts employer-provisioned accounts used for business purposes if the employee was informed of the employer’s right to access. Second, the law does not restrict employers from complying with duties “to monitor or retain employee communications established under federal law or by a self regulatory organization,” including the SEC’s recordkeeping rules. Other exemptions, such as publicly available information and voluntary provision of access information for misconduct investigations, may also apply to data collection by asset managers.

Asset managers should carefully design and assess their compliance programs to navigate the potential tension between A836 and SEC rules. It is advisable that asset managers:

• Ensure that employees receive notice that employers may need access to personal accounts also used for business purposes;
• Act cautiously if an employee refuses to participate in a retention program applying to personal accounts to comply with A836’s prohibitions on certain adverse employment actions resulting from a refusal to grant access to purely personal accounts; and
• Understand exemptions and establish clear protocols to prevent inadvertent access to personal communications during reviews.

To read how Castaybert PLLC can assist you with employment law matters, click here.