Editor’s Note: Different states across the U.S. have been instating these new social media laws that prohibit employers from requesting access to an employee’s personal social media accounts. But what do these laws really mean? What are the exceptions to the rules and how do they apply to your organization? Judith Delaney, of TurnsonPoint Consulting, answers all of these questions as they apply to the states of Washington, New Mexico, Illinois and New Jersey within this post.
Dissecting the law: employers prohibited from accessing employees’ social media accounts
As Melissa reported in her post of August 6th, Washington State became the 11th state to pass a law prohibiting employers from asking workers for their usernames and passwords to their personal social media accounts. New Jersey has now joined the club making it the 12th state (more on that later on in this article).
For your information, the first ten states to pass this law are: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon and Utah.
Melissa’s blog post addressed the good news that Washington State now prohibits an employer from requesting that an applicant or employee disclose their personal login information to their personal social media accounts.
As with all of the states who have passed these laws, there are exceptions to the rule.
For those of you living in the state of Washington, the law does have the following exceptions under limited circumstances:
- Employers may retrieve content from an employee’s personal social media account if they are conducting an investigation into an employee’s misconduct; or If an employee is accused of making unauthorized transfers of the employer’s proprietary information. Employers still cannot ask for the personal password in these circumstances but, they can ask the employee to voluntarily turn over the information. However, if the need for the information falls under the umbrella of e-discovery it may be obtained by other means, such as a subpoena obtained through the courts.
- The law does not apply to social media sites and platforms used primarily for work purposes. In other words, if an employee is using a work related social media site and platform, an employer has the right to obtain the password.
- The law, while not specifically carving out an exception for the securities industry, does have broad language that refers to an employer’s rights to insure an employee is “complying with the requirements of the state or federal statutes”, and “self-regulatory organizations”.
It is well to emphasize that these are the exceptions to the law in the state of Washington.
Each state law has its own set of exceptions. For example:
New Mexico’s law only protects the login information of an applicant and not the employee. It also does not limit an employer’s right to:
- Have policies regarding work place internet, social networking or email use
- Monitor employees’ usage of the employer’s electronic equipment
- View publicly available information about a prospective or current employee
Illinois: In August of this year, Illinois amended its existing password protection law to provide this exception: that the password protection law does not impede financial services firms from monitoring their employees’ business-related communications in social media.
New Jersey: Of all the states enacting a password protection law, the newest addition, New Jersey, as the 12th state, is the most comprehensive in the area of exceptions to the rule. Let’s take a look:
On August 29th 2013, Governor Chris Christie enacted the New Jersey state law to restrict an employer access to the personal social media content of applicants and employees. This law will become effective on December 1, 2014.
Let’s first take a look at what this new law prohibits:
- Employers from asking or requiring that job applicants or current employees “provide or disclose any username or password, or in any way provide the employer access to, a personal account through an electronic communications device.” To dig a little further into the details, this means that an employer is prohibited from:
- “Shoulder surfing” an applicant’s or employee’s restricted, personal social media account
- Compelling an applicant or employee to accept an employer’s “friend” request to permit access to a restricted account
- Compelling an applicant or employee to change the privacy settings on a restricted account to enable the employer to access it
- Employers cannot retaliate or discriminate against any job applicant or current employee for any of the following conduct:
- Refusing to comply with an employer’s request or demand for login information for a personal social media account
- Reporting alleged violation of the law to New Jersey’s Commissioner of Labor and Workforce Development
- Testifying, assisting or participating in an investigation concerning a violation of the law
- Otherwise opposing a violation of the law
It is important to note that the law’s definition of “personal account” and “social networking website” narrow its otherwise broad prohibitions to some extent. What this means, is that an account is not “personal” if it is used “for business purposes of the employer or to engage in business-related communications.” As a result, the law does not prohibit employers from requesting login credentials, or any other means of access to business related accounts, which is the first exception.
Other exceptions include:
- “Nothing in this law [prohibits or] prevents an employer from conducting an investigation [including asking for login credentials if the circumstances apply]” to:
- Ensure compliance with applicable laws
- Prohibit against employee misconduct, if the employer receives “specific information about activity on a personal account by an employee”
- Investigate specific allegations that an employee is transferring proprietary, confidential, or financial information to a personal account
- Unlike the State of Washington law, New Jersey’s law specifically contains the exception for financial service firms subject to the Financial Industry Regulatory Authority, or FINRA, a self-regulatory organization, that requires monitoring of employees’ social media communications. In other words, this exception is clear that the law should not be construed to prohibit an employer from, and I quote from that section of the New Jersey law: “complying with the requirements of state or federal statutes, rules or regulations, case law or rules of self-regulatory organizations.”
- Consistent with the law’s limitation on the definition of “personal account”, it does not prevent an employer from “implementing and enforcing a policy [including an employer’s right to log in] pertaining to the use of an employer issued electronic communications device or any accounts or services provided by the employer or that the employee uses for business purposes.”
- Permits employers to access and use information about job applicants and current employees, accessible in the public domain. In other words, any information publicly available is fair game.
Finally, the New Jersey state law provides no private right of action for an aggrieved job applicant or current employee. The only action against an employer who violates any provision may be a civil penalty in an amount not to exceed $1,000 for the first offense and $2,500 for any subsequent offense.
As we move through 2013 and perhaps beyond, the momentum to pass United States state social media privacy laws does not seem to have slowed down. It has been reported by the National Conference of State Legislatures that legislation has been introduced, or is currently pending, in 36 additional states.
The exceptions discussed here, along with those in the other 10 states, in accordance with social media password protection laws, clearly sends a message that state legislatures recognize that employers have a legitimate business need to access employees’ restricted personal social media accounts in certain circumstances.
Therefore, as the prospective employee or current employee,
of the exceptions in the state in which you reside and/or work.
Disclaimer: The information contained in this article is provided only as general information and may or may not reflect the most current developments legal or otherwise pertaining to the subject matter thereof. Accordingly, this information is not promised or guaranteed to be correct or complete, and is not intended to create, or constitute formation of an attorney-client relationship. The author expressly disclaims all liability in law or otherwise with respect to actions taken or not taken based on any or all of the content of this article.
Judith Delaney is an attorney who specializes in global online privacy laws and issues and social media law. Judith helps organizations integrate new media strategies with business strategies to effectively manage risk associated with online compliance such as the HIPPA Omnibus Rule, global social media private and data protections and contract risk management.