Protecting Social Media Privacy in the Workplace Is Not as Simple as it Looks
By David Glockner, Stroz Friedberg LLC
There’s no reason to expect a letup anytime soon in the legislative activity around the country aimed at blocking employers from requesting access to social media accounts of job applicants and employees. Five states—California, Michigan, Illinois, Maryland, and Utah—have enacted laws in the last year barring the practice, and as of mid-April 2013, similar legislation is pending in 27 other states and Congress.1 More legislative action this year seems certain.
It’s easy to understand why—these laws provide the rare example of Internet privacy legislation that looks simple and leaves everyone feeling good. Employees and privacy advocates welcome protection from overreaching employers. Most employers, in turn, cringe at the thought of demanding access to job applicants’ and employees’ private social media accounts, and welcome laws that reduce the risk of negligent hiring suits based on employees’ private social media postings.
Largely lost in the discussion about these new laws has been the significance of the restrictions they impose on internal investigations. As social media use has soared—including in the workplace—companies are more frequently encountering incidents where employees’ use of social media and other online accounts violates laws, regulations, and company policies, or serves as a conduit for attacks on company computers. The wave of new state restrictions will make it harder for employers to investigate these incidents, some of which inevitably will involve serious matters such as workplace safety, medical privacy, intellectual property theft, network security, and compliance with laws and regulations. Compounding this problem is the inconsistency and vagueness of the new laws, which leave employers subject to a confusing patchwork of restrictions governing internal investigations involving employees’ online activities. Ironically, the new restrictions also create incentives for employers that have the potential to undermine, rather than protect, workers’ privacy and job security.
The Role of Social Media Accounts in Internal Investigations
Understanding how the social media access laws affect internal investigations is essential for employers in light of the increasing incidence of work-related misconduct, compliance, and security investigations involving social media.
To pull a few examples from recent court filings and news reports, employees have used social media to threaten and sexually harass colleagues; hospital workers have posted patient pictures and information on social media sites; and employees have posted confidential company financial information on social media. In addition, the messaging and file-sharing capabilities of social media enable employees to communicate about a wide range of work-related misconduct, some of which could expose companies to significant legal, regulatory, and reputational consequences.
Beyond employee misconduct, the rapidly increasing sophistication of techniques for compromising corporate computer networks, together with the growth of bring-your-own-device policies, has made company computers more vulnerable to attacks that begin by targeting employees’ personal devices and accounts—including their social media accounts. On January 23, 2013, the Federal Financial Institutions Examination Council, which sets standards for federal bank examinations, emphasized the risks associated with social media when it warned in proposed guidance to banks that social media accounts pose numerous compliance risks for financial institutions and are vulnerable to account takeovers which can be used to spread malicious software (“malware”) such as viruses, back-doors, rootkits, and other tools that can be used to remotely access and control a compromised computer.
Whether the focus of an internal investigation is employee misconduct or a network security breach, if the underlying conduct involves an employee’s online activities, a thorough investigation likely will include gathering relevant information about those activities—typically by interviewing the employee and, when necessary, asking for access to relevant information in the online accounts used to conduct the activity under scrutiny. In different and inconsistent ways, each of the newly-enacted state laws limits an employer’s ability to seek this information.
The Effects of State Social Media Privacy Statutes on Internal Investigations
The effects of each state’s social media privacy law on internal investigations turn mainly on three features of the statute: (1) the types of employee accounts it covers; (2) the nature of the prohibited employer conduct; and the (3) exceptions to those prohibitions. An employer needs to assess each of these factors in order to determine what investigative activity is permissible, and what is restricted, in a particular state. The five state laws passed in 2012 and early 2013, the first-ever laws with this focus, differ considerably from one another in each category, and legislation proposed in other states would add even more variations.
Employee Accounts Covered
Each of the five state statutes covers traditional social media accounts, but three of them go much farther. California’s law is the broadest—it applies to all of an employee’s “electronic content” that is “personal.” This appears to include information stored on web sites not traditionally thought of as social media sites such as web-based email and file-sharing accounts, as well as information in third-party commercial accounts accessed online such as shopping, financial, and utility accounts. It also appears to cover information and data stored entirely off-line, such as on local and external hard drives, thumb drives, and CDs/DVDs. The Illinois law, by contrast, is the narrowest and is restricted in scope to what most people understand to be “social networking” accounts.
The Maryland, Michigan, and Utah laws apply to “personal” accounts or services that are accessed through the Internet (and in Maryland, by phone). This seems to include the same wide variety of Internet-accessible accounts covered by the California law, although not data stored off-line. The Maryland, California, and Illinois laws all fail to explain what makes an account “personal,” however, leaving open the possibility that those states’ statutes cover online accounts held in an employee’s name but used for business purposes or paid for by the employer. (Michigan and Utah specifically exclude such accounts.)
Employer Conduct Covered
All five states prohibit employers from asking or requiring employees or job applicants to disclose passwords and user name/password combinations. Four of the five states (all but Utah) go beyond this to prohibit employers from seeking other types of information for the purpose of accessing a covered account, including making requests for user names to locate or confirm ownership of public-facing accounts, and even inquiries about the existence of accounts.
California and Michigan go further, but in different ways. California’s law prohibits an employer from asking an employee to disclose any “electronic content” that is “personal,” without reference to where it is stored—an extraordinarily broad sweep, particularly in light of the statute’s failure to define “personal.” This appears to prohibit not only requests for access to accounts, but questions about a broad range of an employee’s computer-related activities.
Michigan, on the other hand, prohibits an employer from asking an employee “to allow observation of … information that allows access to or observation of the employee’s or applicant’s personal Internet account.” This “allow observation of” language, unique to the Michigan law, may have implications for the large number of companies that require employees to consent to the monitoring of their activities on company networks (most often undertaken for defensive purposes, such as detecting events that could threaten network security, but also sometimes for investigative purposes), as well as to searches of company-owned devices. If an employer requires an employee to consent to monitoring on a device that the employee uses to access a covered “personal” account, and the monitoring captures the employee’s user name, password, and activity in the account – has the employer violated the Michigan statute? How does the statute apply if employers require consent to monitor or search an employee-owned device under a bring-your-own device policy? The Michigan statute doesn’t provide clear answers to these questions.
The greatest differences among the four statutes concern the exceptions to their applicability. The Illinois law is the simplest in this regard: it allows no exceptions at all. Illinois employers can’t even ask for access to an employee’s social media account when they have evidence that it has been used in a corporate fraud or bribery scheme, to threaten or sexually harass a co-worker, or to steal or store proprietary information.
Utah and Michigan, by contrast, allow an employer to request information relating to a covered account when they have specific information that an employee has used a personal Internet account to engage in work-related misconduct, or for purposes of “ensuring compliance” with applicable laws and regulations.
California permits such requests based on specific information of employee misconduct or “violation” of laws or regulations. This language is more restrictive than Michigan’s and Utah’s because it eliminates an employer’s ability to seek information for the forward-looking purpose of ensuring compliance, and instead focuses on investigations of known legal violations.
Additionally, the language in the Utah, Michigan, and California statutes allowing requests to investigate employee misconduct does not make clear whether, in investigating such allegations, employers may direct requests to employees who may be victims or witnesses of misconduct by other employees but are not themselves suspected of wrongdoing.
Maryland’s statute likewise contains exceptions for employee misconduct, but they are more limited than those in the California, Michigan, and Utah laws. Maryland permits an employer to request access to an employee’s Internet account in response to specific information about the transfer of the employer’s proprietary information to that account. It also allows an employer to request access if the employer is conducting an investigation “for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements.” Maryland’s law would not, however, allow an employer to request access to information in an account used by an employee to threaten or sexually harass co-workers, embezzle funds, or take bribes from vendors, nor would it allow requests to ensure compliance with laws other than “securities or financial” laws, such as product or workplace safety laws.
Despite these differences among the state stautes, there is one important and unfortunate area of consistency: none includes an exception for network security compromises associated with employees’ personal Internet accounts even though such accounts are an increasingly common means by which corporate networks are infected with malware .
The Restrictions in Action: What This Means for Internal Investigations
The first five statutes enacted, and the likelihood of many more to follow, create a challenging new landscape for employers conducting internal investigations that touch on employees’ activities in online accounts. There are substantial inconsistencies among the state statutes; the scope of key terms like “personal,” to take the most obvious example, is uncertain; and the new restrictions on internal investigations increase the risks stemming from employee misconduct and network security breaches by making it harder for them to fully understand and respond.
These problems will grow as more states enact social media protection laws. Multi-state employers regularly will face inconsistent rules within single investigations, and at times these inconsistencies will result in different investigative and disciplinary outcomes for employees who engaged in identical conduct.
A few hypothetical examples illustrate some of the practical problems the laws will pose for internal investigations:
- An employee reports being sexually harassed by a co-worker through Facebook. No state clearly allows the employer to ask the victim for account access to verify the victim’s claim. The same restrictions apply to investigating threats of violence. In Illinois and Maryland, the employer is prohibited from asking the alleged perpetrator for account access in order to investigate the allegation—and even whether the employee has a Facebook account under the name provided by the accuser, if the employer intends to visit the site to verify its existence and look for public-facing postings.
- A drug maker receives an anonymous report that an employee is making private posts on a social network account describing conduct at one of its manufacturing facilities that could result in contaminated and unsafe medications. Absent information that the employee herself engaged in misconduct—as opposed to having knowledge about misconduct by others—only Michigan and Utah clearly allow the company to request access to the posts. Similar restrictions would apply to employers who learned of online statements by employees reflecting knowledge of, but not involvement in, other problematic conduct, such as bribes, anti-trust violations, and fraud.
- An employee creates a social networking account in his own name but, with his employer’s knowledge, uses it in part for business purposes, including marketing and communicating with customers. The company seeks access to the account to verify for compliance purposes that the employee is not engaging in conduct that will expose it to legal or regulatory risks. Only Michigan and Utah clearly allow the employer to make the request. In the other three states the answer will depend on whether courts consider “personal” an account held in an employee’s name and used in whole or in part for business purposes. Similarly, if the company becomes involved in litigation and an employee’s business-related activity on a social network or web-based email account is relevant to the litigation, it is unclear whether the company could seek access to the employee’s account in order to implement a legal hold and collect relevant communications for litigation purposes.
- A company discovers that its network has been infected by malware targeting sensitive intellectual property. It traces the malware to an employee who used a work computer to visit a social networking site and clicked on a message that downloaded the malware. The company wishes to gain access to the social networking account to better understand the origin of the malware and whether other employees and work groups are at risk. No state allows the company to ask the employee for access.
- A manager sends a subordinate a “Friend” request on Facebook, or a request to connect on LinkedIn. Each statute but Utah’s could be read to prohibit such a request.
Unintended Incentives for Employers
Although the laws give employees strong protection from employers’ demands for access to their accounts, they also create incentives for employers that have the potential to undermine employee privacy and job security. For example, because the laws apply only to current, not former, employees, companies can terminate employees and use severance agreements as leverage to seek access to critical information.
Additionally, prohibiting employers from asking for social media and online account information when they need it for investigative or security purposes creates incentives for them to seek the information in alternative ways, such as increased use of monitoring tools, as well as deep-dive digital forensics that may provide evidence of the activities in question. Both of these approaches have the potential to provide employers with a much greater volume of personal information about an employee’s online activities than a narrowly-tailored request for relevant information. The new laws also will push employers to more quickly involve law enforcement in matters that previously would have been handled internally, because law enforcement can ask questions that employers now can’t.
Navigating a Changing Landscape
It will be some time before employers have certainty about the rules that apply in various states to investigations touching on employees’ online activity—the rapid pace of state legislative activity and the ambiguities and variations in the new laws guarantee this. In the meantime, there are several steps employers can take to manage the challenges that the new laws pose for internal investigations:
- Review existing policies regarding employees’ use of social media and other Internet accounts for business purposes to ensure that those policies clearly define ownership and access rights for such accounts.
- Review existing employee conduct policies to ensure that they cover work-related misconduct that might reasonably involve employees’ personal online accounts, to ensure that in states permitting requests for information to investigate work-related misconduct, employers are positioned to make those requests when the need arises.
- Ensure that anyone who might be involved in an investigation touching on an employee’s online activity is aware that state laws may restrict requests for information about such activity. This includes not just inside and outside counsel, but also outside investigators and experts who may be engaged to assist in a matter, and company staff who may assist them, such as IT personnel. When an employee’s activity in a personal online account appears relevant to an investigation, counsel should carefully parse the language of each applicable state social media access law (there may be more than one) in light of the circumstances of the investigation before asking an employee for any account-related information.
- Periodically evaluate the company’s computer network and physical security in order to reduce the opportunities for incidents of employee misconduct and network security breaches.
- Consider whether existing network monitoring and cyber incident response capabilities are adequate. Does the company have the capability to operate keylogging tools when necessary? Does it have an incident response plan and arrangements with a strong digital forensic services provider in place in order to ensure that if the company learns of a data breach, network compromise, or unauthorized exfiltration of data, it can quickly preserve and examine whatever information about the incident exists on its own network, since it may now be more difficult to gather information from employees?
- Consider whether to block access from company networks to social networking sites not used for business purposes, as well as to other categories of potentially problematic Internet web sites that might be protected under some states’ statutes, such as file sharing and Internet mail sites.
If there is one lesson driven home by a close reading of the new state social media privacy laws, it’s that even simple-seeming Internet privacy legislation can have unanticipated consequences in practice. There’s no question that it makes sense to restrict the power of employers to pry open the private lives of employees and job applicants. But there’s likewise no question that we all benefit when companies undertake robust efforts to ensure their compliance with laws and regulations, and aggressively investigate suspected internal wrongdoing and security incidents. It’s possible to protect both of these interests by combining strong protections for employees with limited exceptions allowing employers to seek information needed for compliance, internal investigations, and network security purposes. The current wave of legislation unfortunately has yet to find this balance.
© 2013 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.