There's no reason to expect a letup anytime soon in the legislative activity around the country aimed at blocking employers from requesting access to social media accounts of job applicants and employees. Five states—California, Michigan, Illinois, Maryland, and Utah—have enacted laws in the last year barring the practice, and as of mid-April 2013, similar legislation is pending in 27 other states and Congress.1 More legislative action this year seems certain.
It's easy to understand why—these laws provide the rare example of Internet privacy legislation that looks simple and leaves everyone feeling good. Employees and privacy advocates welcome protection from overreaching employers. Most employers, in turn, cringe at the thought of demanding access to job applicants' and employees' private social media accounts, and welcome laws that reduce the risk of negligent hiring suits based on employees' private social media postings.
Largely lost in the discussion about these new laws has been the significance of the restrictions they impose on internal investigations. As social media use has soared—including in the workplace—companies are more frequently encountering incidents where employees' use of social media and other online accounts violates laws, regulations, and company policies, or serves as a conduit for attacks on company computers. The wave of new state restrictions will make it harder for employers to investigate these incidents, some of which inevitably will involve serious matters such as workplace safety, medical privacy, intellectual property theft, network security, and compliance with laws and regulations. Compounding this problem is the inconsistency and vagueness of the new laws, which leave employers subject to a confusing patchwork of restrictions governing internal investigations involving employees' online activities. Ironically, the new restrictions also create incentives for employers that have the potential to undermine, rather than protect, workers' privacy and job security.
To pull a few examples from recent court filings and news reports, employees have used social media to threaten and sexually harass colleagues; hospital workers have posted patient pictures and information on social media sites; and employees have posted confidential company financial information on social media. In addition, the messaging and file-sharing capabilities of social media enable employees to communicate about a wide range of work-related misconduct, some of which could expose companies to significant legal, regulatory, and reputational consequences.
Beyond employee misconduct, the rapidly increasing sophistication of techniques for compromising corporate computer networks, together with the growth of bring-your-own-device policies, has made company computers more vulnerable to attacks that begin by targeting employees' personal devices and accounts—including their social media accounts. On January 23, 2013, the Federal Financial Institutions Examination Council, which sets standards for federal bank examinations, emphasized the risks associated with social media when it warned in proposed guidance to banks that social media accounts pose numerous compliance risks for financial institutions and are vulnerable to account takeovers which can be used to spread malicious software (“malware”) such as viruses, back-doors, rootkits, and other tools that can be used to remotely access and control a compromised computer.
Whether the focus of an internal investigation is employee misconduct or a network security breach, if the underlying conduct involves an employee's online activities, a thorough investigation likely will include gathering relevant information about those activities—typically by interviewing the employee and, when necessary, asking for access to relevant information in the online accounts used to conduct the activity under scrutiny. In different and inconsistent ways, each of the newly-enacted state laws limits an employer's ability to seek this information.
The Maryland, Michigan, and Utah laws apply to “personal” accounts or services that are accessed through the Internet (and in Maryland, by phone). This seems to include the same wide variety of Internet-accessible accounts covered by the California law, although not data stored off-line. The Maryland, California, and Illinois laws all fail to explain what makes an account “personal,” however, leaving open the possibility that those states' statutes cover online accounts held in an employee's name but used for business purposes or paid for by the employer. (Michigan and Utah specifically exclude such accounts.)
California and Michigan go further, but in different ways. California's law prohibits an employer from asking an employee to disclose any “electronic content” that is “personal,” without reference to where it is stored—an extraordinarily broad sweep, particularly in light of the statute's failure to define “personal.” This appears to prohibit not only requests for access to accounts, but questions about a broad range of an employee's computer-related activities.
Michigan, on the other hand, prohibits an employer from asking an employee “to allow observation of … information that allows access to or observation of the employee's or applicant's personal Internet account.” This “allow observation of” language, unique to the Michigan law, may have implications for the large number of companies that require employees to consent to the monitoring of their activities on company networks (most often undertaken for defensive purposes, such as detecting events that could threaten network security, but also sometimes for investigative purposes), as well as to searches of company-owned devices. If an employer requires an employee to consent to monitoring on a device that the employee uses to access a covered “personal” account, and the monitoring captures the employee's user name, password, and activity in the account – has the employer violated the Michigan statute? How does the statute apply if employers require consent to monitor or search an employee-owned device under a bring-your-own device policy? The Michigan statute doesn't provide clear answers to these questions.
Utah and Michigan, by contrast, allow an employer to request information relating to a covered account when they have specific information that an employee has used a personal Internet account to engage in work-related misconduct, or for purposes of “ensuring compliance” with applicable laws and regulations.
California permits such requests based on specific information of employee misconduct or “violation” of laws or regulations. This language is more restrictive than Michigan's and Utah's because it eliminates an employer's ability to seek information for the forward-looking purpose of ensuring compliance, and instead focuses on investigations of known legal violations.
Additionally, the language in the Utah, Michigan, and California statutes allowing requests to investigate employee misconduct does not make clear whether, in investigating such allegations, employers may direct requests to employees who may be victims or witnesses of misconduct by other employees but are not themselves suspected of wrongdoing.
Maryland's statute likewise contains exceptions for employee misconduct, but they are more limited than those in the California, Michigan, and Utah laws. Maryland permits an employer to request access to an employee's Internet account in response to specific information about the transfer of the employer's proprietary information to that account. It also allows an employer to request access if the employer is conducting an investigation “for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements.” Maryland's law would not, however, allow an employer to request access to information in an account used by an employee to threaten or sexually harass co-workers, embezzle funds, or take bribes from vendors, nor would it allow requests to ensure compliance with laws other than “securities or financial” laws, such as product or workplace safety laws.
Despite these differences among the state stautes, there is one important and unfortunate area of consistency: none includes an exception for network security compromises associated with employees' personal Internet accounts even though such accounts are an increasingly common means by which corporate networks are infected with malware .
These problems will grow as more states enact social media protection laws. Multi-state employers regularly will face inconsistent rules within single investigations, and at times these inconsistencies will result in different investigative and disciplinary outcomes for employees who engaged in identical conduct.
A few hypothetical examples illustrate some of the practical problems the laws will pose for internal investigations:
Additionally, prohibiting employers from asking for social media and online account information when they need it for investigative or security purposes creates incentives for them to seek the information in alternative ways, such as increased use of monitoring tools, as well as deep-dive digital forensics that may provide evidence of the activities in question. Both of these approaches have the potential to provide employers with a much greater volume of personal information about an employee's online activities than a narrowly-tailored request for relevant information. The new laws also will push employers to more quickly involve law enforcement in matters that previously would have been handled internally, because law enforcement can ask questions that employers now can't.
©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.
DisclaimerThis document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
To view additional stories from Bloomberg Law® request a demo now