Tag Archives: social media

July 22, 2013

Myriad of Social Media Privacy Laws Create Havoc for Multi-State Employers

Does your company request that your employees and applicants provide user names and passwords to their personal social media accounts? Do you require applicants to log onto their online accounts in your presence so that you can view their content? Perhaps you ask employees to “friend” their supervisors. If you haven’t followed new developments in state employment laws, you may not realize that such activities are unlawful in some states. In just two years, eleven states have passed social media privacy laws that prevent employers from accessing employees’ and applicants’ personal online accounts. Each state law differs in certain respects, making it difficult for multi-state employers to adopt a uniform and consistent social media policy. To help sort things out, we highlight here the primary differences in the state social media privacy laws.

States with Workplace Social Media or Internet Privacy Laws

The eleven states that have enacted social media or internet privacy laws affecting employers to-date are: Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah and Washington. All but one of these states protect the access information for both current and prospective employees, with New Mexico only protecting the log-in information of applicants.

Differences in State Social Media Laws

Generally, all of these states prohibit an employer from requesting or requiring an employee or applicant to disclose his or her user name, password or other means of accessing his or her personal social media accounts. Many of these states also make it unlawful to discipline, discharge, discriminate against or penalize an employee, or fail to hire an applicant who refuses to disclose his or her access information to personal social media accounts. However, that’s where the uniformity in the laws generally ends. The following chart highlights numerous key differences between the state laws.

Legal Provision	States Recognizing Provision
Prohibits employers from requesting that employee add employer representative or another employee to his or her list of contacts (e.g., “friend”)	Arkansas, Colorado, Oregon and Washington
Prohibits employers from requesting employee to access his or her personal social media account in the presence of the employer (“shoulder surfing”)	California, Michigan, Oregon and Washington
Prohibits employers from requesting employee to change the privacy settings on his or her personal social media accounts	Arkansas, Colorado and Washington
Specifically permits employers to view and access social media accounts that are publicly available	Arkansas, Illinois, Michigan, New Mexico, Oregon and Utah
Exception when access required to comply with laws or regulations of self-regulatory organizations	Arkansas, Nevada, Oregon and Washington
Exception for investigations of employee violation of law or employee misconduct	Arkansas, California, Michigan, Oregon, Utah and Washington (Colorado and Maryland limit this exception to investigation of securities or financial law compliance)
Exception for investigation of unauthorized downloading of employer’s proprietary, confidential or financial data	Colorado, Maryland, Michigan, Utah and Washington
Inadvertent acquisition of personal log-in information while monitoring employer systems not a violation but employer not permitted to use the log-in information to access personal social media accounts	Arkansas, Oregon and Washington

As you can see, the differences in the laws exceed the similarities, making it difficult for an employer operating in more than one covered state to comply with all applicable provisions. Even the definition of covered social media accounts varies by state, creating even more inconsistencies.

Would a Federal Law Help?

With eleven laws in place and almost 20 additional states considering social media privacy bills, the issue seems ripe for a federal bill that would bring some uniformity to the protections offered to employees and applicants. In February 2013, the Social Networking Online Protection Act, which offers such workplace protections, was introduced into the U.S. House of Representatives. Unfortunately, it has languished in committee and is not expected to pass. In addition, a federal law on the issue will likely only simplify the web of state laws if it specifically preempts state law. Without federal preemption, we might face two sources of law on the issue, federal and state, which might muddy the waters even more. In any event, it does not appear that a federal law will be enacted before additional states enact their own laws, leaving employers to struggle with the variances in state law.

Best Practices for Complying with Social Media Privacy Laws

With the vast amount of information available on social media and the increased use of social networking platforms for business purposes, it is likely that most employers will at some point need to access or review content on an employee’s or applicant’s social media account. Perhaps it will be for an investigation of an employee who downloaded proprietary information or perhaps it will be to confirm derogatory statements about the company made by an employee. Whatever the reason, the first step is to recognize that these laws exist and you will need to review which, if any, apply to your company and/or the employee involved. Remember that you are generally free to access publicly available social media content. However, if one of these state laws applies, consult with legal counsel before accessing (or requesting access to) any personal social media accounts to determine what restrictions and exceptions are applicable to your particular circumstances.

Establish a social media policy specifying that employees are not permitted to disclose or post proprietary or confidential company information on their personal social media accounts. Make a clear delineation between company/business-related social media accounts where you control who speaks on behalf of your organization, and personal accounts where employees do not represent the views of the company. Be careful that your social media policy does not run afoul of the National Labor Relations Act by interfering with employees’ right to discuss their wages and working conditions in a concerted manner. Communicate your policy to your employees through normal channels, such as your employee handbook, online policy/intranet, etc.

Train your supervisors, managers and human resources staff on these laws. Sometimes supervisors or HR folks think it is acceptable to ask an employee to “friend” them online, or to ask for their log-in information to view pictures or other benign posts. Despite good intentions, company representatives could get you into legal trouble so advise them of these laws and your restrictions on requesting access to personal social media accounts.

Disclaimer: This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice and are not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

July 8, 2013

Nevada Restricts Employer Access to Social Media Accounts

By Dora Lane

Employers who like to research an applicant’s social media sites will be limited to reviewing only publicly available information under a new law passed in Nevada. Effective October 1, 2013, Nevada employers may not require or request access to an employee’s or applicant’s personal social media account. Assembly Bill 181, recently signed into law by Governor Brian Sandoval, prohibits employers from conditioning employment on the disclosure of an individual’s user name, password or other information needed to access the individual’s personal electronic services and accounts. It also prohibits employers from taking, or threatening to take, any adverse action against an employee or applicant who refuses, declines or fails to disclose their social media access information.

Unlawful for Employers to Demand Access to Personal Social Media Accounts

Under this new law, it is unlawful for an employer in Nevada to directly or indirectly seek the user name, password or other access information to a personal social media account from any employee or prospective employee. This prohibition means you cannot require, request, suggest or otherwise cause the individual to disclose the information necessary to access their personal account.

A social media account is defined to mean “any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or services, online services or Internet website profiles.”

Interestingly, the law does not mention access to personal social media accounts that are available for public viewing without a user name or password. Accordingly, it appears that employers are not prohibited from accessing and viewing any publicly available social media accounts (though it may be risky for employers to do so for other reasons).

Discrimination and Adverse Actions Forbidden

This law also makes it unlawful for a Nevada employer to discharge, discipline, discriminate against in any manner, deny employment to, or deny promotion to any employee or prospective employee who refuses, declines or fails to disclose his or her user name, password or other information needed to access his or her personal social media account. Threats to take any such action are unlawful as well.

Exceptions for Access to Employer Systems and for Legal Compliance

The law allows employers to require an employee to disclose the user name, password or any other information to an account or service, other than a personal social media account, for the purpose of accessing the employer’s own internal computer or information system. In addition, the law does not prevent an employer from complying with any state or federal law or with any rule of a self-regulatory organization.

No Specified Enforcement Mechanism

The social media access restriction contained in Assembly Bill 181 does not specify any method by which employee or applicant allegedly harmed by a violation of the law can pursue relief. In addition, no remedies are specified in the bill. Because the bill amends Chapter 613 of the Nevada Revised Statutes on Employment Practices, a violation of the social media password protection provision conceivably could result in remedies available under that Chapter, but that conclusion is by no means clear.

Nevada Joins Trend, Becoming the Eleventh State to Restrict Employer Access to Social Media

Ten other states prohibit or restrict an employer’s access to social media accounts: Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Mexico, Oregon, Utah and Washington. Numerous other states have proposed or are considering passage of social media password protection legislation. Employers located in or hiring in those states should review the applicable restrictions before seeking access to an individual’s personal social media accounts.

Disclaimer:This article is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice and are not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

April 25, 2013

Tips for Complying with Utah’s Internet Employment Privacy Act

By Elizabeth Dunning

Effective May 14, 2013, Utah employers may not request employees or applicants to disclose information related to their personal Internet accounts. The Internet Employment Privacy Act(IEPA), recently signed into law by Utah Governor Gary R. Herbert, prohibits employers from asking an employee or applicant to reveal a username or password that allows access to the individual’s personal Internet account. In addition, employers may not penalize or discriminate against an employee or applicant for failing to disclose a username or password. A similar restriction applies to higher educational institutions through passage of the Internet Postsecondary Institution Privacy Act.

With enactment of the IEPA, Utah becomes the fifth state to pass legislation that limits an employer’s access to social media accounts, joining California, Illinois, Maryland and Michigan. New Mexico passed a similar law shortly after Utah and New Jersey’s law passed the legislature and is awaiting the governor’s signature. A bill introduced in February in the U.S. House of Representatives called the Social Networking Online Protection Act (H.R. 537) is stuck in committee.

Public Online Accounts Are Fair Game under the IEPA

The IEPA does not restrict or prohibit employers from viewing or using online information about employees and applicants that the employer can obtain without the employee’s username or password. Any online information that is available to the public may be accessed and viewed by employers without violating the IEPA. Consequently, individuals who set privacy settings on their online accounts to allow “public” access effectively opt themselves out of any protections offered by this new law.

Utah Restriction Applies to Accounts Used Exclusively for Personal Communication

In prohibiting employers from requiring disclosure of online usernames and passwords, the IEPA draws a distinction between personal Internet accounts and those used for business related communications. The law only restricts employer access to personal online accounts that are used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer. It does not, however, restrict access to accounts created, maintained, used or accessed by an employee or applicant for business related communications or for a business purpose of the employer.

In practice, the line between personal and business related accounts may be blurred as many employees use their personal online presence to network and communicate for business reasons. Consider the sales person who uses his or her LinkedIn account to communicate with potential buyers within a particular industry, or the CPA who posts tax reminders on his or her Facebook page. Are those accounts accessible under the IEPA since they are not used “exclusively” for personal communications? A plain reading of the law suggests that may be the case, thereby watering down the potential protections offered by the IEPA to applicants and employees.

Steps for Complying with the IEPA

Utah employers should review their HR forms, policies and practices to ensure that they do not ask applicants and/or employees to provide a username or password to their personal Internet accounts. Train supervisors and managers not to ask for this information as well. In fact, take the opportunity to remind supervisors and managers not to “friend” subordinates on personal online platforms, such as Facebook. In addition, reinforce that employees and applicants may not be penalized or treated adversely for failing to provide a username or password for personal online accounts.

Remember, too, that even though the IEPA does not prohibit accessing an employee’s or applicant’s public social media accounts, viewing such information creates other risks. Employers may view information regarding the individual’s religion, race, national origin, disability, age, or other protected group status that could give rise to a discrimination claim. Furthermore, online information is unreliable and ever-changing, meaning that employers should not rely on what they see online when making employment decisions. To stay out of trouble, consult with legal counsel before viewing or using social media in the employment context.

For more information about permissible actions and potential damages under the Utah Internet Employment Privacy Act, please see our Client Alert.

February 26, 2013

Who Owns Your Employees’ LinkedIn Profiles? The Answer Might Surprise You.

By Mark B. Wiletsky

If your employees use LinkedIn to establish and maintain contacts for business purposes (such as sales), what happens to those accounts—and contacts—when the employee quits or is fired? Can an employer who has access to an employee’s LinkedIn profile change her password and replace information in her profile following her termination? No, says at least one federal judge in Pennsylvania recently, though that case is not yet over. As explained below, employers should be careful before assuming that they own their employees’ LinkedIn profiles.

Employer Access to High Level Executive Profiles

Edcomm, Inc., a banking education company, strongly urged its employees to create LinkedIn accounts using their company email addresses as a business networking tool. It had employee policies governing online postings and specified that if employees identified themselves as an Edcomm employee, they needed to use a specific template that contained pre-approved content about the company and referred to the company’s website. The company provided a photographer to take professional photos for employee use on their LinkedIn accounts. It also allowed some Edcomm employees to access, develop and administer the LinkedIn accounts of senior management, such as responding to invitations, inviting new contacts and researching good news stories to include on their LinkedIn pages.

After being acquired by another company, Edcomm, Inc. terminated its company president and founder, Linda Eagle, as well as several other top executives. After her termination, Edcomm locked Eagle out of her LinkedIn profile by changing her password. It then changed the information on the profile to that of the new acting CEO.

Company Argues LinkedIn Account was Akin to a Client List

Eagle sued Edcomm alleging numerous violations of state and federal law, including invasion of privacy by misappropriation of identity, misappropriation of publicity, identity theft and conversion. Edcomm argued that the LinkedIn accounts were used to contact new clients and promote the company’s services. As such, the company claimed that its take over of Eagle’s account was similar to the company keeping possession of a client list after an employee is terminated.

The Judge didn’t buy it. At a recent hearing, Judge Ronald Buckwalter stated that Edcomm likely had no right to change Eagle’s LinkedIn password and change her profile information. He noted that the company had no internal policy that would hand over ownership of employee profiles when employees left the company and that the LinkedIn accounts belonged to the individual employees.

Be Prepared For An Employee’s Departure

Although it is wise to implement a social media policy to address employee use of company information on personal or company-sponsored social media accounts, you need to be wary of who owns the rights to such information. First, as indicated in the Edcomm case above, you risk potential invasion of privacy and other claims. Second, the employee might have rights to the account independent of the employer, as established in an agreement between the service provider and the employee. At a minimum, consider implementing specific policies that address these issues up front, and consider what services your employees are using to establish and maintain connections with clients. The fact that contacts are connected through LinkedIn, Facebook, or some other social media site can significantly impact an argument that such contacts are protectable trade secrets. Lastly, don’t forget that forcing access to employees’ social media can be risky. Four states have enacted legislation to prohibit or restrict employers from asking for social media access and many other states are currently debating similar restrictions.

March 27, 2012

Furor Over Facebook Continues

By Mark Wiletsky

Following up on my post last week, the flap over employers asking applicants to turn over their passwords to social media accounts, such as Facebook, rages on. Two senators–Sens. Richard Blumenthal (D-Conn.) and Charles Schumer (D-N.Y.)–on March 25 asked the Department of Justice and the EEOC to investigate this practice (http://blumenthal.senate.gov/newsroom/press/release/blumenthal-schumer-employer-demands-for-facebook-and-email-passwords-as-precondition-for-job-interviews-may-be-a-violation-of-federal-law-senators-ask-feds-to-investigate). Facebook joined the fray by warning employers about this practice, and of course the ACLU has raised concerns as well (http://www.cnn.com/2012/03/23/tech/social-media/facebook-employers/index.html?hpt=hp_t3). Is this issue being overblown? Other than media reports about a couple of public entities, it is unclear how many employers are demanding applicants turn over passwords to social media accounts as a condition of employment (or consideration for employment). Still, the heightened media attention is a good reminder for employers to review their hiring practices and their social media policies. If you have not yet read the NLRB's January 25, 2012 Operations Management Memo (http://www.nlrb.gov/news/acting-general-counsel-issues-second-social-media-report), I recommend doing so. Even though I disagree with certain aspects of the Memo, it provides some good examples of things to avoid in both social media policies and discipline/termination situations involving social media–for Union and non-Union work environments.

March 23, 2012

Hiring and Social Media: Beware

By Mark Wiletsky

Should you require prospective employees to provide you with access to their Facebook page and other social media accounts, as a condition of being considered for the job? Some public agencies apparently are doing so. But Richard Blumenthal, a Democratic senator from Connecticut, is writing a bill to prohibit the practice. (Not surprisingly, you can find more information about his proposed bill by visiting his Facebook page: http://www.facebook.com/dickblumenthal). Relying on social media for hiring decisions can be risky, but it happens. People Google a candidate’s name, check LinkedIn profiles, browse a Facebook page, or surf the web to see if they can learn some information about the candidate. It’s so easy to do, and there is so much information about people on the web that it is hard to resist. The problem is that the information on the Internet may or may not be relevant to the job. The information also might disclose protected characteristics that you would not otherwise know from simply reviewing a job application (e.g., a person’s race, a disability, etc.). My own thought is that for most private employers, it is not a good idea to require candidates to turn over passwords to their social media accounts. Regardless of whether the candidate agrees to do so, it is clearly not a voluntary decision, and it raises a host of potential problems for private employers, beyond even the typical problem of not hiring someone due to a protected characteristic, e.g., what happens if someone at the company loses the password, abuses it, or protects it but is later accused of being responsible for hacking into the account? The law in this area continues to evolve, but I would avoid becoming a “test case” for having gone too far.