Computerworld

State social media privacy laws a mixed bag for businesses

Laws limit access to employee's social media accounts, and that may be a good thing, legal experts say

New social media privacy laws that have been enacted in several states around the country, or those in the works, present something of a mixed bag for businesses.

While the laws generally limit companies from asking job seekers and employees for access to their social media accounts under most circumstances, they do provide some rules for when they can do so legally.

Utah on Tuesday joined a growing list of states with online privacy laws that restrict what employers can and cannot do with to regard to the social media accounts of their current employees as well as job seekers.

Utah's Internet Employment Privacy Act (H.B. 100) went into effect on Tuesday and basically prohibits companies from asking workers for usernames and passwords that control access to their personal accounts on Facebook, LinkedIn, Twitter and other social media sites. The law prohibits companies from taking adverse action, such as firing, retaliating or refusing to hire anyone that refuses to provide such information.

It allows employees to bring a private cause of action against an employer that violates these provisions and provides for fines of up to $500 for each violation.

More than half a dozen states including California, Maryland, Michigan, Illinois and Arkansas have similar laws in place. In each case the statutes were prompted by concerns that employers are becoming too aggressive in seeking the access credentials to social media accounts of job seekers and employers.

Maryland's law, for instance, was passed after a controversial incident where a state Division of Corrections worker was asked to provide his Facebook login credentials during a recertification interview.

Similarly, Michigan's law came after an elementary school teacher's aide was fired for refusing to provide school authorities access to her Facebook profile. The request came after a parent complained about seeing what they called an inappropriate photo of her on the social media site.

Others like the National Labor Relations Board (NLRB) and the Council of State Governments have also chipped in on cases involving disputes between employees and businesses over social media usage.

The Council said it has received several reports of people being asked to delete social media accounts, supply private login credentials and "friend" the human resources director or manager as a condition of employment.

The laws have raised some concern among companies in regulated industries. The Financial Industry Regulatory Authority (FINRA), for instance, is seeking exemptions in the state laws that would allow Wall Street brokers and dealers to keep an eye on the non-personal social media chatter of their employees.

According to FINRA, it is seeking the exemptions solely to ensure that when stockbrokers talk about stocks on sites such as Facebook, LinkedIn and Twitter, they are complying with their company's policies regarding such disclosure.

The laws limit a company's ability to investigate the activities of prospective or current employees on social media sites, said Scott Sweeney, an attorney at Wilson Elser Moskowitz Edelman & Dicker LLP in Denver. But at the same time, they also codify a company's rights to obtain some forms of personal login information, he said.

Under Utah's new law for instance, a company can ask an employee for personal log in information if the company provides the account or service. Similarly, an employee is obligated to provide login credentials if the social media account is used for the employer's business, or was obtained by virtue of the employment relationship, he said.

Some of the laws, like the one in Utah, also give employers the right to ask for login information when the company has specific information that an employer is using a private social media account to store or distribute company data, Sweeney said.

Such distinctions are important. In 2011, an employee working for PhoneDog, a company that serves up news on mobile technologies, refused to relinquish control of a Twitter account with 17,000 followers upon leaving the company, said Paul Paray, a partner at InformationLawGroup in New York.

In a lawsuit, PhoneDog alleged that the employee had used the Twitter account for official purposes during his employment at the company and charged him with misappropriation of trade secrets.

The new laws could have an impact on areas such as this, Paray said. For instance, they would give a company the right to ask for access credentials in situations where it hires someone to create a Twitter or other social media account that then gains thousands of followers. "If your job is to manage a social media account then employers should obviously have access to the password," he said.

Importantly, companies may actually be better off not having access to a prospective or current employee's personal social media account, Paray said.

Often such accounts may contain information on the individual's religious affiliation, ethnicity, race and other factors that cannot be used in making a hiring decision, he said. If the company later declines a hiring offer, or terminates an employee, they would be opening the door to numerous state and federal anti-discrimination claims, he said.

"You could almost argue that this is a positive thing for employers because now it cannot be imputed on you that you violated these statutes," he said.

The main takeaway for enterprises is that they should pay attention to their social media policies, Sweeney added. "From my perspective what they should be taking away from all this is that they should be reviewing their social media policies continuously," he said. "These laws are changing on a frequent basis so reviewing them with counsel or HR personnel is a wise thing to do."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.