States Continue to Protect Workers' Social Media Privacy in 2014

By Bryan Knedler and William Welkowitz

The trend to regulate employers' access to applicants' and employees' personal social media accounts, although relatively recent, has gathered momentum and shows no signs of slowing down.

In May 2012, Maryland became the first state to restrict employers' ability to demand that employees or prospective employees disclose their “user name, password, or other means for accessing a personal account or service through an electronic communications device.”

California, Illinois and Michigan followed suit that year with similar prohibitions, and in 2013, Arkansas, Colorado, Nevada, New Jersey, Oregon, Utah and Washington enacted laws protecting the privacy of job applicants’ and employees’ personal social media accounts. New Mexico also enacted a law in 2013 that affects only job applicants and doesn't mention current employees.

Other laws addressing aspects of social media privacy were enacted in six states in 2014--Louisiana, New Hampshire, Oklahoma, Rhode Island, Tennessee and Wisconsin--bringing the total number of states with such protections to 18.

As the trend to create restrictions on access to private accounts continues, questions remain about whether such employer conduct is widespread. A 2013 survey by CareerBuilder found that more than two in five companies use social networking sites to research job candidates.1

Although these new laws aren't seen as a harbinger of major changes in the way employers conduct their hiring processes, practitioners interviewed by Bloomberg BNA generally agreed that they will compel employers to be more cautious in the questions they ask applicants and in how they explore applicants' backgrounds online.

“Social media opens up applicants to issues that otherwise would never be allowed to come up during the normal interview process, and employers generally take advantage despite the risk of being sued for [equal employment opportunity] violations,” said Paul W. Mollica, an attorney with the Chicago branch of Outten & Golden LLP, an employment law firm that specializes in employee-side litigation.

Social media isn't being used by employers only during the hiring and screening process; organizations use social media networks to recruit employees and to conduct workplace investigations. In Littler Mendelson's 2013 Executive Employer Survey Report, the results “demonstrated that proactive social media policies are popular among today’s corporations.”2 For companies “facing reputational and financial consequences from employees discussing the company through their own social media channels, more than half (52 percent) implemented policies on this type of activity,” the report said.

Solution in Search of Problem?

Although companies may be utilizing social media to conduct research on applicants or monitor employees' activities, critics of the restrictive statutes doubt that significant numbers of employers are going beyond accessing information that is publicly available and requiring passwords for private accounts of applicants and employees.

Jonathan A. Segal, partner at Duane Morris LLP, observed that he “sometimes wonders whether there are more state laws than there are of incidents of employers asking for social media passwords.”

Philip L. Gordon, who chairs the privacy and data protection practice group at Littler Mendelson, told Bloomberg BNA that there is little evidence to suggest that employers are using networking portals such as Facebook and Twitter in an abusive manner.

Gordon said he couldn't recall a client ever asking for advice regarding requests for access to social media accounts. However, one or two clients asked about situations where an applicant volunteered to provide access to his or her private social media to provide evidence of ability to do a job that required certain expertise. He added that he believes this is a gray area that should be addressed by state legislation.

In Littler Mendelson's 2012 and 2013 surveys of employers, only 1 percent reported having requested a password or access to an applicant's private account.

Critics say that given that abusive conduct isn't currently widespread (or at least not widely reported), the state legislatures may be acting in response to a perceived general anxiety of the public that this sort of conduct by employers could happen.

In New Hampshire, one of the latest states to enact protections, “there is a libertarian streak that lines up with this concern and the desire to keep employers out of personal social media accounts,” James Allmendinger, counsel for that state's affiliate of the National Education Association (NEA), told Bloomberg BNA.

Employment law attorney Howard S. Lavin, a partner at Stroock & Stroock & Lavan LLP in New York, speculated that “the legislation is a response to highly publicized cases.”

Outten & Golden's Mollica, however, contended that there is no way of knowing just how common the practice is. There is only “anecdotal evidence” that the number of instances involving managers invading employees' private social media and e-mail accounts is relatively low, he said.

Mollica also observed that the push for social media privacy legislation is unique in that the pressure is being put on legislators by ordinary employees rather than lobbying groups. “This is legitimate populist legislation,” he said.

Duane Morris's Segal said he thinks the trend is fueled by a “me too” effect. “As more and more states enact these laws, lawmakers in other states are asked by constituents, or ask themselves: why don't we have one?”

(Click graphic to enlarge.)

smlrgraphic0210

Next Civil Rights Issue?

Wisconsin state Rep. Melissa Sargent (D), one of the sponsors of the 2014 Wisconsin law, said in a statement when the bill passed the state Senate: “It makes sense that personal Internet accounts should be given the same 4th Amendment protections as other aspects of our daily lives. People have a reasonable expectation of privacy when interacting with their friends and family on Facebook or other sites. An employer, university, or landlord should not have access to private communications on social media sites. As technology evolves, so must our legislative efforts to protect our citizens' privacy.”

Former State Rep. and Cheshire County Commissioner Chuck Weed (D), a member of the New Hampshire House committee that initially debated that state's social media privacy rights law, said to Bloomberg BNA that “the protection of privacy and civil rights needs to keep up with the changes in technology. It is an issue that people can readily identify with because they use this technology every day.”

Although most legal experts contend that there are no straightforward First or Fourth Amendment rights issues in relation to the private sector workforce, as those constitutional protections apply only to “state actors,” Anita Allen, the Henry R. Silverman Professor of Law and Professor of Philosophy at the University of Pennsylvania and an expert on privacy law, suggested that there is a sense that this activity would be an infringement on rights of privacy, specifically the ability to discuss things in private that wouldn't normally be discussed otherwise.

“It is not fair to ask an applicant or employee for access to personal accounts as a prerequisite for employment. It would be like asking for the person's phone records and photo albums--there would be a sense of outrage if such an incident became public,” Allen said.

Mollica agreed with Allen's assessment that there is a belief among employees that they have the right to privacy as to their life outside employment. He asserted that these new laws strengthen that position. “It is a similar argument to the one made in Griswold v. Connecticut, 381 U.S. 479 (1965), except the question would most likely be 'would management be interested in knowing about my weekend activities?' ” Mollica told Bloomberg BNA, referring to the U.S. Supreme Court's decision upholding the constitutional right of privacy in the use of contraceptives.

Some Protection Under Federal Laws

No federal law strictly bars employers from asking applicants and employees for passwords or access to personal social media accounts. Although there are federal privacy rights under the Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510 et seq., those rights generally are applied to actions such as phone taps and more obvious spying methods.

However, some claims have been raised under the Stored Communications Act, 18 U.S.C. § 2701-2712, which is part of the ECPA. Federal courts have held that the SCA prohibits unauthorized access to private social media accounts and that unauthorized or coerced access to them can result in employer liability.

For example, a federal district court in 2013 held that the SCA protected an employee’s private postings but that no violation of the SCA occurred because a co-worker who had been given authorized access voluntarily provided management with printed copies of the postings. There was no evidence that the co-worker was coerced into providing the information to management.3

In a 2009 decision on post-trial motions in another case, the court found that the employer violated the SCA by accessing employees' private chat group. The employee who provided the access testified that she believed she was required to comply with the manager's request for the password; therefore, the permission was coerced and invalid.4

Labor Law Implications

The National Labor Relations Board, using its authority under the National Labor Relations Act, has in recent years focused on social media cases in the private sector, for both union and non-union workplaces.

Section 7 of the NLRA, 29 U.S.C. § 157, states in part that employees “shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection.” Such protected activities include casual discussion regarding workplace conditions, such as treatment by a supervisor or the level of benefits that are provided by the employer--topics that increasingly are shared in online forums.

“There are decisions by the NLRB that describe social media as the 'water cooler' of the 21st century, and employers need to be aware that NLRA Section 7 rights are in play when outlining company policies on social media use,” NH-NEA's Allmendinger said.

“Labor unions definitely have an interest in this type of legislation,” Mollica said. “Any technology that would allow unions to get their message to workers on a faster, broader scale is very useful to them.”

Employers still may enforce non-disparagement and confidentiality policies to protect their reputations, products and proprietary information from intentional false statements, sabotage and theft, Stroock's Lavin said.

However, he added, the kind of information that is considered confidential can't include employment conditions as defined by the NLRA. “This issue makes the NLRA and the NLRB very relevant to employees in the private sector, even if they don't belong to a union,” he said.

Nondiscrimination Laws Apply

Beyond the privacy issues addressed in the new restrictive state laws, employers using publicly available information on social media networks may be at risk of violating federal and state laws prohibiting discrimination on the basis of protected characteristics.

The Equal Employment Opportunity Commission hosted a March 12, 2014, hearing to gather information about employer use of social media and to consider the implications for the laws enforced by the EEOC.

The inherent risks are summed up by the authors of Bloomberg BNA's 2013 legal portfolio on social media:

“A key problem with accessing information shared via social media is the risk of stumbling upon a person's legally protected characteristics. The anti-discrimination laws generally prohibit pre-employment inquiries and selection practices that (i) identify a person on a basis protected by statute (e.g., race, national origin, sex, pregnancy, religion, marital status, and physical or mental disability); (ii) result in a disproportionate screening out of members of a protected group; or (iii) are not job-related, i.e., are not a valid means of predicting successful job performance. Further, many states and municipalities add additional protected traits beyond federal law, for instance, many states or municipalities have laws preventing employment discrimination based on sexual orientation, gender identity, or familial status. Consequently, pre-screening applicants via their social media activity or disclosures can lead to the discovery of information regarding an applicant that may be illegal to consider during the interview process.”5

 

Characteristics of 2014 State Laws

Each of the newly enacted laws has these two restrictions on employers at their core: (1) requesting or requiring access to private Internet-based accounts; and (2) retaliating against an applicant or employee who refuses to allow such access.

Limits Imposed on Account Access

Each of the state laws prohibits an employer from requesting access to information, most likely a password. Some states have additional restrictions against asking an applicant or employee to: (1) lower the privacy settings to facilitate access (New Hampshire and Rhode Island); (2) friend, or add, someone to the account (New Hampshire, Rhode Island and Tennessee); and (3) allow observation of an account by accessing it in the employer’s presence (Rhode Island, Tennessee and Wisconsin).

Exceptions Available to Employers

The statutes include a variety of exceptions to protect employers. For instance, all except Oklahoma's specifically exempt any device or account provided by the employer to the employee. The general consensus is that, if an employee uses an employer-provided device or system for personal use, the employee can't have any expectation of privacy.

According to Allmendinger, some attorneys won't even communicate with a client who is using an employer system or device out of fear that the communication might not remain confidential, despite the privilege rules.

Other exceptions were lobbied for by the information technology industry. Many of the bills as originally drafted would have left employers exposed to a potential contradiction, according to Kevin Callahan, northeast region state government affairs director of TechAmerica, which describes itself on its website as the “public sector and public policy department of CompTIA,” an IT industry trade association.

For example, many of the bills lacked exceptions for routine, practical actions by employers, such as investigating employee misconduct or sending out e-mail warnings to employees to secure personal accounts from potential or threatened cyberattacks, Callahan told Bloomberg BNA.

These concerns were taken into consideration by lawmakers, as most of the 2014 enacted laws do include some sort of exception that allows employers to investigate suspected misconduct, such as the copying of proprietary information or financial data to a personal account. The states differ on what level of information is necessary for the exception to apply--Louisiana, New Hampshire and Tennessee require “specific” information, while Rhode Island and Wisconsin require a “reasonable belief” that such conduct has occurred.

However, Segal cautions that even “where employers have a right to ask under state law, employers still must consider the federal Stored Communications Act.”

Perhaps with an abundance of caution, three states--Louisiana, New Hampshire and Wisconsin--specifically limit an employer’s liability for accidentally acquiring access information through a computer network as long as the information isn’t used.

Going even further, Louisiana and Tennessee specify that the employer can’t be held liable for negligent hiring or retention for failure to request access to or monitor personal accounts. Tennessee also specifies that the employee has the right to volunteer his or her account access information.

Several states included exceptions for employers that need to monitor or retain communications in order to comply with the requirements of state and federal laws and rules of self-regulatory organizations.

Enforcement Mechanisms, Penalties Vary

Civil actions are authorized in Oklahoma's and Rhode Island's new social media privacy laws, while a complaint to the state labor department is required in New Hampshire and Wisconsin.

Louisiana's and Tennessee's statutes, meanwhile, don’t provide for any enforcement mechanism or penalties. The primary sponsors of these pieces of legislation, Louisiana State Rep. Edward “Ted” James II (D) and Tennessee State Sen. Frank Niceley (R), each told Bloomberg BNA that the bills didn't contain enforcement provisions because they wouldn't have been passed by their respective legislatures otherwise. They both added that there was the possibility of amending the laws to add such language, if necessary.

Lavin questioned the impact of such statutes, saying the lack of a specific enforcement provision makes it unclear what potential plaintiffs could do in that situation. “They can try to file a claim under a general remedies provision, but the absence of a specific remedy could limit plaintiffs’ options under these laws,” he said.

Many others contacted for this report, however, don't see this omission as a serious problem for potential plaintiffs.

Allmendinger cited the New Hampshire law as an example, pointing out that a significant number of that state's laws don't have a specific remedy. In this situation, he said, Chapter 275 of the Revised Statutes Annotated allows a plaintiff to file a complaint with the state Department of Labor (or other appropriate department), or in the superior court of New Hampshire, with broad state constitutional guarantees in enforcing such statutory rights.

“Potential plaintiffs are only limited by the creative talent of plaintiffs' lawyers to find remedies outside the specific statute,” said Mollica, who pointed out that some states have whistle-blower statutes that can apply; some states have public policy tort statutes; and contractual remedies may even be available depending on the situation.

Allen added that a plaintiff also might be able to sue under the state's common law, and courts could set common law standards for this particular issue--for example, determining what level of proof is needed to show a violation of the statute.

If all else fails, Weed suggested that those who have been wronged can turn to public opinion and public pressure to get the employer to remedy the situation, although he conceded that this would likely require that the incident in question be highly publicized.

Practitioners Offer Compliance Advice

Despite the wide range of exceptions to these laws and spotty enforcement standards, employers are still cautioned to tread lightly when it comes to employees' social media and personal e-mail accounts.

“While there are many business reasons to check on employees' use of technology, employers have to keep in mind that employees are human beings with complicated lives and things that need to be done outside of work on a daily basis. There is a learning curve in using technology in the workplace that both sides have to keep in mind,” Allen said.

This need for balance was echoed by TechAmerica's Callahan. “Social media privacy is an important issue, and there is a need to have dialogue with the employer community to find the proper meeting point between the rights of employees and employers,” he said.

Segal advised employers to always take employee relations into consideration before potentially infringing on privacy. Even if a statutory exception is applicable, he advised asking for a password only if there is no alternative method of getting the needed information.

For example, in one case, the employer had concerns that proprietary information was being posted on a private social media platform. Segal advised his client to determine if the employee was sending the data from a work e-mail account to a home account. It turned out that the employee was using the employer's e-mail system, and getting the sought-after evidence never involved asking for the employee's personal account password, he said.

Littler Mendelson's Gordon pointed out that employers should conduct a risk tolerance analysis before utilizing an exception. In cases where a worker has seen a threat made on social media, for example, and the employer needs evidence to seek a temporary restraining order against the potentially violent employee, a co-worker might bring a screen shot of the threat to the employer, Gordon said. The employer must weigh the consequences of a violent incident in the workplace against the--in most cases--relatively minor penalties for violating a statute that prohibits requesting access to a social media account, he said.

There may be positive business reasons for accessing personal accounts, Gordon pointed out. For example, many employers have employees who are responsible for producing online content, such as blogs or managing websites. For such employees, their private social media accounts might provide evidence of their professional ability to do a job. Gordon said a clear exception should be provided for employees in such positions.

Segal provided another scenario for a legitimate need to access personal accounts. “Sometimes employees will tell management about an offensive posting--for example, racial, ethnic or religious slurs or 'jokes'--but not provide a copy of the posting itself. In these circumstances, what is management to do? Where an employee raises a concern about a posting, but does not provide a copy of the posting itself, if legal issues are potentially implicated, the employer should formulate a request for the posting to maximize the likelihood that the employee will share the posting and also minimize the risk that a court will find there to have been threats or pressure” by the employer.

Segal added there is “no doubt that any request by an employer exposes the employer to some risk. But not requesting the posting also may expose the employer to some risk. It is risk management, not risk avoidance.”

Possibility of Federal Legislation Slim

Although each state legislature that has addressed and approved legislation on this issue has either been unanimous or near-unanimous when it came to a vote, the prospects for this level of bipartisanship in addressing the issue on the national level appear dim.

In spring 2012, a group of Democrats in the U.S. House and Senate introduced the Password Protection Act. The senators previously had asked the Department of Justice and the EEOC to investigate whether employer demands that job applicants turn over their social media passwords violate current federal law. The legislation, which would have amended the Computer Fraud and Abuse Act, was never reported out of committee. It was again introduced in 2013, with no success.

The majority of individuals contacted for this report either were unwilling to predict how the new Congress would react to similar legislation or said they believe there won't be the same level of cooperation as there has been at the state level.

Former New Hampshire representative Weed said, “We are behind the issue on the national level in terms of privacy rights.” He expressed doubt as to the prospects of federal legislation, stating it is “unlikely because there is not a lot of concern for the worker amongst the new leadership and it is therefore not a high priority issue for the new Congress.”

However, the level of bipartisanship demonstrated in the state legislatures suggests that there is at least the possibility that this issue could be brought up in the near future at the national level.

Mollica suggested that there could be a large enough coalition of Democrats and libertarian-leaning Republicans to bring up the issue in a serious debate, pointing out that “modern technology has intruded on the life experience of typical employees and there can be an agreement that something should be done.”

Added Allen, “While the issue would seem to split along party lines on the surface, everyone has an interest in protecting personal account information.”

Callahan said that the most likely scenario would be that more states will continue to take up the issue and pass legislation in 2015, and as they do, Congress will become increasingly more likely to take it up.

To contact the reporters on this story: Bryan Knedler at bknedler@bna.com and William Welkowitz at wWelkowitz@bna.com.

To contact the editor responsible for this story: Heather Bodell at hbodell@bna.com.

1 Mary Lorenz, “Two in Five Employers Use Social Media to Screen Candidates,” Hiring Site (July 1, 2013), http://thehiringsite.careerbuilder.com/2013/07/01/two-in-five-employers-use-social-media-to-screen-candidates/.

2 The 2013 survey is available at http://www.littler.com/files/press/related-files/2013-Executive-Employer-Survey-Report.pdf.

3 Ehling v. Monmouth-Ocean Hosp. Serv. Corp., 961 F. Supp. 2d 659 (D.N.J. 2013).

4 Pietrylo v. Hillstone Restaurant Grp., 2009 BL 205184 (D.N.J. Sept. 25, 2009, unpublished)

5 Corporate Practice Series Portfolio No. 91, co-authors David A. Bell, Matthew Thomas Deffebach, and Debra Gatison Hatter of Haynes and Boone LLP.

2014 STATE SOCIAL MEDIA PRIVACY LEGISLATION
State Summary Bill No./Chapter No.
     

Louisiana

Personal Online Account Privacy Act

The statute enacts La. Rev. Stat. Ann. §§ 51:1951 to 51:1955 to prohibit employers from requesting that employees and job applicants disclose information that allows access to or observation of personal online accounts. Retaliation because of a refusal to give the employer access to a personal online account is prohibited.

H.B. 340
2014 La. Acts 165, effective Aug. 1, 2014

Maine

Directing Study of Social Media Privacy in School and in Workplace

The resolve directs the Joint Standing Committee on Judiciary to conduct a study of the issues involved in social media and personal e-mail privacy with regard to education and employment. The committee is to submit its report no later than Nov. 5, 2014, with its suggested legislation for the 127th Legislature.

H.B. 838
2014 Me. Laws 112

New Hampshire

The statute enacts N.H. Rev. Stat. Ann. §§ 275:73, 275:74 and 275:75 to prohibit employers from requesting that employees and job applicants disclose information that allows access to or observation of personal online accounts, add anyone to a list of contacts associated with an e-mail account or personal account, or require a reduction in privacy settings. Retaliation because of a refusal to comply with an employer's request is prohibited.

H.B. 1407
2014 N.H. Laws 305, effective Sept. 20, 2014

Oklahoma

The statute enacts Okla. Stat. tit. 40, §§ 173.2 and 173.3 to prohibit an employer from requesting that an employee or applicant disclose the means to access a personal online social media account, or access an account in the presence of the employer in a manner that enables the employer to observe its contents if those contents aren't available to the general public. Employers are prohibited from retaliating against an employee, or refusing to hire an applicant, because of a refusal to give the employer access to a personal social media account.

H.B. 2372
2014 Okla. Sess. Laws 315, effective Nov. 1, 2014

Rhode Island

The statute enacts R.I. Gen. Laws §§ 28-56-1 to 28-56-6 to prohibit employers from requesting that employees and job applicants disclose information that allows access to personal social media accounts, access an account in the presence of the employer, divulge any personal social media account information, add anyone to a list of contacts associated with an account, or require a reduction in privacy settings. Retaliation because of a refusal to comply with an employer's request is prohibited.

H.B. 7124 and S.B. 2095
2014 R.I. Pub. Laws 188 and 207, effective June 30, 2014

Tennessee

Employee Online Privacy Act of 2014

The statute enacts Tenn. Code Ann. §§ 50-1-1001 to 50-1-1004 to prohibit employers from requesting that employees and job applicants disclose information that allows access to personal internet accounts, access an account in the presence of the employer in a manner that enables the employer to observe its contents, divulge any personal social media account information, or add anyone to a list of contacts associated with an account. Retaliation because of a refusal to comply with an employer's request is prohibited.

S.B. 1808
2014 Tenn. Pub. Acts 826, effective Jan. 1, 2015

Wisconsin

The statute enacts Wis. Stat. § 995.55 to prohibit employers from requesting that employees and job applicants disclose information that allows access to personal internet accounts, or otherwise grant access to or allow observation of an account. Retaliation because of a refusal to comply with an employer's request is prohibited.

S.B. 223
2013 Wis. Laws 208, effective April 10, 2014