State legislatures across the country continue to draft and enact legislation restricting employers from requiring or pressuring employees (or job applicants) to grant them access to their social media accounts. On March 26, 2013, Utah became the fifth such state when Governor Gary R. Herbert signed into law the Internet Employment Privacy Act (H.B. 100) (Utah Act). Like Michigan, the Utah Act provides a carve out for broker‐dealers who are required to comply with Financial Industry Regulatory Agency (FINRA) rules mandating the monitoring and recording of business‐related communications, including communications made via social media sites. [1] However, recent laws enacted in California, Illinois and Maryland, as well as the vast majority of bills currently pending before other states, contain no such exemptions, which inevitably will lead to litigation over whether these laws are federally preempted, a question that has yet to be raised, much less answered.

  1. FINRA’s Social Media Monitoring and Recording Requirements

FINRA has issued various regulatory notices addressing the obligations of broker‐dealers with respect to the use of social media by their employees and representatives, noting that “the content provisions of FINRA’s communications rules apply to interactive electronic communications that the firm or its personnel send through a social media site”. FINRA Regulatory Notice 10‐06 (Jan. 2010). Regulatory Notice 10‐06 also states:

Firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised, have the necessary training and background to engage in such activities, and do not present undue risks to investors. Firms must have a general policy prohibiting any associated person from engaging in business communications in a social media site that is not subject to the firm’s supervision.

To comply with FINRA requirements, broker‐dealers “must review prior to use any social media site that an associated person intends to employ for a business purpose [and] approve use of the site for a business purpose only if the registered principal has determined that the associated person can and will comply with all applicable FINRA rules, the federal securities laws, including recordkeeping requirements, and any additional requirements established by the firm”. FINRA Regulatory Notice 11‐39 (August 2011). Furthermore, broker‐dealers “must be able to retain, retrieve and supervise business communications” even when conducted on social media sites through the use of the associated person’s personal computer or other device. Id.

  1. The Conflict Between Social Media Privacy Laws and FINRA Rules

At least 18 additional states and the U.S. House and Senate [2] are considering similar laws. The enacted and proposed laws share a common general prohibition against employers requiring employees or job applicants to provide access to their social media accounts. This prohibition creates a dilemma for broker‐dealers, who must follow FINRA’s mandates with respect to the supervision of their associated persons’ communications, including social media activity. One way to resolve this conflict — as Michigan, and now Utah, have done — is to include a carve‐out in the social media law for any employer who is otherwise obligated to monitor and supervise its employees’ social media activity.

In June 2012, FINRA and the Securities Industry and Financial Markets Association (SIFMA) attempted to convince California legislators to incorporate a financial services industry exception to the general prohibition. California’s A.B. 1844 illustrated the dilemma faced by broker‐dealers with respect to complying with both California’s law and FINRA’s rules. Both FINRA and SIFMA submitted comments to California’s legislature to express these concerns and to propose the carve‐out solution.[3] The exemption language, proposed by FINRA (with similar language proposed by SIFMA), reads:

This act shall not apply to the personal social media accounts or devices of a financial services employee who uses such accounts or devices to carry out the business of the employer that is subject to the content, supervision, and retention requirements imposed by federal securities laws and regulations of a self‐regulatory organization as defined in section 3(a)(26) of the Securities Exchange Act of 1934, as amended.

California rejected FINRA’s and SIFMA’s proposed modifications and its law was enacted on September 27, 2012 without any broker‐dealer exemption.

  1. Utah’s Internet Employment Privacy Act

Like the Michigan law, and in contrast to California’s, the Utah Act includes an exception for brokerdealers complying with their regulatory obligations:

(3) This chapter does not prohibit or restrict an employer from complying with a duty to screen employees or applicants before hiring or to monitor or retain employee communications that is established under federal law, by a self‐regulatory organization under the Securities and Exchange Act of 1934, 15 U.S.C. Sec. 78c(a)(26), or in the course of a law enforcement employment application or law enforcement officer conduct investigation performed by a law enforcement agency. [4]

Although this language is not identical to the language FINRA and SIFMA proposed in connection with the California law, it accomplishes the same purpose and is nearly identical to the language present in the Michigan law.

  1. Firms Need to Be Aware of their State‐Specific Obligations

Until it has been determined that the state laws that preclude brokerages from carrying out their compliance obligations are federally preempted, brokerage firms would be well‐advised to designate or appoint social media liaisons to stay abreast of these issues, formulate appropriate policies and procedures, oversee their implementation, monitor and adjust for compliance issues, and coordinate with legal and business executives.