Drawing Digital Boundaries
Legislators on both the state and federal level are sending a message to employers that employees' social-media log-in information is off-limits, with Washington joining a growing number of states passing legislation to prohibit employers from asking workers and job candidates for their social-media passwords and user names.
By Kecia Bal
The new state legislation recently passed in Washington -- designed to protect that state's workers and job candidates from invasions of privacy from prying employers -- reminds HR executives that they need to be certain that hiring managers and other managers understand boundaries between work and the personal lives of employees in a digital age, says Donald Schroeder, an employment attorney and member at the international law firm Mintz Levin in Boston.
"I think that legislating what should be common sense is not wise, so I would say that this law just reiterates what should be best practices for employers anyway," Schroeder says. "It just muddies the water. I don't think anybody needs to change anything.
"It can be a good reminder that managers should understand the ground rules and protocol," he says.
While most employers wouldn't ask for personal account information in the first place, Schroeder says, the lines may become a little more blurred when it comes to younger managers -- those accustomed to the virtual worlds of Facebook and Twitter -- who might think it's appropriate to send a subordinate a friend request, for example.
"It might be less obviously problematic to younger managers who grew up in this online environment," Schroeder says. "If you have a good electronic communications or social media policy already, I don't think you need to amend it to say what you're not going to do.
"I don't think that there's anything that employees should refrain from other than not inquiring into personal social networking."
In Washington, even an internal investigation is not justification to require an employee to submit login information, Schroeder says. The new law allows employers to ask for specific "content" as part of an internal investigation, he says, but that would only apply to a specific post or update in question and not login information.
While states are moving to protect employee passwords within their borders, a bipartisan congressional group has proposed a similar measure to encompass the entire nation, the Social Networking Online Protection Act, which would prohibit employers and schools from requesting personal, account-related information.
Carla Patalano, professor at New England College of Business and Finance in Boston and chair of the college's certificate of advanced graduate study degree program in HR management, says the federal proposal, as well as laws passed or in the works on a state level, emphasize the value of effective social-media policies.
"Given the recently issued guidance from the National Labor Relations Board on social-media policies, and their focus on aggressively protecting Section 7 rights for all employees, including those that are not unionized, companies are already focusing on either drafting a social media policy or revising an existing policy to be in compliance," she says. "If an organization is being proactive, it will want to get out in front of the issues raised by SNOPA, and use this opportunity to take a holistic approach to determining what they use social media for."
It also highlights a general concern about privacy, she says.
"News surrounding the government's acquisition of millions of Americans' cell phone records illustrates that so many aspects of our lives are open to scrutiny that never were before, so the potential for abuse is significant," she says. "These are thorny issues that have to be tested, in the court of public opinion or, as laws like SNOPA are passed, in the judicial courts."
Because the laws differ by state and can affect industries differently, companies may need to review their policies, says Todd Taylor, Charlotte, N.C.-based senior counsel at the law firm Moore & Van Allen.
"Companies should absolutely take into account these laws as they review their existing policies or draft new policies," he says. "Currently there are 11 states that have password protection in place, and many more states have bills under consideration, so a company should not assume that these social media password laws do not or will not apply to them. Subject to a few caveats, employers should ensure that they have policies in place that generally prohibit managers from asking for such passwords."
The caveats often involve internal investigations, he says.
"Some (but not all) of the social media password protection laws have exceptions that specifically allow an employer to ask for social media and online user names and passwords in connection with internal investigations related to alleged legal and company policy violations," he says.
In some regulated industries -- brokerage or wealth-management, for example -- employers have regulatory obligations to monitor and retain certain communications and social-media postings. That's regardless of whether the employee used personal email or social media accounts to generate the communications, Taylor says.
"Interestingly, not all of the state laws have made exceptions for such industry-specific requirements," he says.
Employers also need to be certain that their policies clearly prohibit employees from storing company information or trade secrets within an employee's personal social media accounts or cloud service accounts, Taylor says.
"Employers should also restrict an employee's ability to use their personal cloud service accounts to create or generate work for the company. In addition, if the employer requires an employee to have an online social media account (such as LinkedIn or Twitter) as part of their job, the employer should have clear policies indicating that such accounts are owned by the employer - not the individual employee.
"Such a policy should help prevent an employee from being able to successfully claim that such an account is a personal account protected by these new state social media password laws."
Though she's never worked with a company that asked its new hires or potential hires for social-media passwords, Angela Hills, executive vice president at the Brookfield, Wis.-based recruitment process outsourcing firm Pinstripe Inc., says the focus on how companies approach social media will continue.
"I think the biggest driver here is just that social media and the web and the online presence that we all have -- that is still kind of like a wild, wild West," she says. "Everyone is trying to figure out what the new rules are. The government is saying, 'At least we're safe saying this is off-limits. We want to let people know we're watching. We're just going to start with the more obvious.' "