On September 27, 2012, California Governor Brown signed into law Assembly Bill 1844, which limits employer access to employees’ social media accounts. AB 1844 is only the most recent such enactment, marking a nationwide legislative trend, seeking to protect the privacy of employees’ and job applicants’ social media accounts. These laws present a unique dilemma for broker-dealers who must comply with the Financial Industry Regulatory Agency’s (“FINRA”) mandate that they take certain measures to monitor and record businessrelated communications. It may be confusing, or even impossible, for a broker-dealer to comply with these state laws, which prohibit employer access to social media accounts, while at the same time ensuring compliance with FINRA rules.
- THE NEW TREND IN SOCIAL MEDIA PRIVACY LAW
California’s social media privacy law is not unique. Illinois and Maryland have enacted similar laws, while nine other states (Delaware, Massachusetts, Michigan, Minnesota, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington) have comparable legislation pending. Each law provides a general prohibition against employers coercing or requiring employees or job applicants to provide social media account passwords or access their social media accounts in the presence of the employer or would-be employer. And while the pending federal Password Protection Act of 2012, H.R. 5684, does not expressly mention “social media,” its reference to a “protected computer” -- excluding “the employer’s protected computer” -- has been interpreted to impose the same restrictions on an employer’s access to social media accounts as the parallel state laws. 
- THE CONFLICT BETWEEN STATE PRIVACY LAWS AND FINRA RULES
- AB 1844
California’s AB 1844 illustrates the dilemma posed to a broker-dealer prevented from accessing its employees’ social media accounts. As stated, the purpose of the legislation is to “prohibit an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.” In fulfilling this purpose, the law states that “(b) An employer shall not require or request an employee or applicant for employment to do any of the following: (1) Disclose a username or password for the purpose of accessing personal social media; (2) Access personal social media in the presence of the employer; (3) Divulge any personal social media, except as provided in subdivision (c).” As a practical matter, AB 1844, as well as similar laws of other states, bars an employer from accessing its employees’ social media accounts.
- FINRA’S RESPONSE TO AB 1844
This past June, FINRA submitted a comment on AB 1844 to California’s legislature that expressed concern about that legislation and the possibility that it could be interpreted to preclude broker-dealers from accessing employee social media accounts to comply with their regulatory obligations to supervise and maintain books and records concerning their registered representatives’ communications. In its comment letter, FINRA cited NASD Rule 2210 (to be superseded in February 2013 by SR-FINRA-2011-035), which defines “Communications with the Public,” to include various categories of social media related communications such as (1) “advertisement” displayed “in any electronic or other public media, including website”; (2) “sales literature” meaning any “electronic communication,” other than an advertisement, “concerning a member’s products or services,”; (3) “correspondence”; (4) “Institutional Sales Material”; and (5) “Public Appearance” which includes “participation in a . . . forum (including an interactive electronic forum).” See also FINRA Regulatory Notice, at p. 4 (Jan. 2010) (“public appearance” includes “unscripted participation in an interactive electronic forum such as a chat room or online seminar”). As pointed out in subsequent FINRA guidance, “a registered principal must review prior to use any social media site that an associated person intends to employ for a business purpose…[and] may approve use of the site for a business purpose only if the registered principal has determined that the associated person can and will comply with all applicable FINRA rules, the federal securities laws, including recordkeeping requirements, and any additional requirements established by the firm.” FINRA Regulatory Notice 11-39 (Aug. 2011) (providing further clarification on a broker-dealer’s obligation to monitor social media sites). The required monitoring is impossible if an employer is prohibited by state laws, such as AB 1844, from accessing employee accounts to police these communications.
- CALIFORNIA IGNORES FINRA’S REQUEST FOR COMMON SENSE EXEMPTIONS FOR BROKER-DEALERS SIMILAR TO EXEMPTIONS IN SOME OTHER STATES’ LEGISLATION
FINRA, in its June 2012 comment letter, requested “an exemption from the provisions for employers in the financial services industry whose employees use personal social media accounts to conduct business of the employer and are, therefore, subject to requirements imposed by federal securities laws and rules of FINRA.” The letter pointed out that several states’ legislation, including Delaware and Michigan laws, contain express exemptions.
Delaware’s proposed House Bill No. 308 states “[t]his Act shall not prohibit employers in the financial services industry, who are subject to the laws and regulations of the SEC, FINRA, or other financial regulators, from conducting internal investigations into employee wrong doing, complying with the supervision requirements of the SEC, FINRA or other financial regulators, or achieving waiver of the personal communications protections in employment contracts.” Likewise, Michigan’s proposed House Bill No. 5523 states that “(2) This act does not prohibit or restrict an employer from complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization, as defined in section 3(a)(26) of the securities and exchange act of 1934, 15 USC 78c(a)(26).”
The vast majority of these laws contains no exemption, however. For example, Illinois’ Public Act 97-0875, signed into law this past summer, only exempts employers investigating employee use of company computers and the use of publicly available information. Minnesota, Missouri, Pennsylvania, South Carolina and Ohio’s versions also contain the same narrow set of exemptions as Illinois’ law. New York exempts only disclosure of login information used for accessing “nonpersonal accounts or services that provide access to the employer’s internal computer or information,” and Washington State’s pending legislation exempts only information in the public domain. New Jersey’s pending legislationcontains no exemptions at all.
The California legislature ignored FINRA’s concerns, as evidenced by the lack of a broker-dealer regulatory monitoring exemption in the law. Instead, AB 1844 falls far short of what is reasonable, providing only that: “(c) Nothing in this section shall affect an employer's existing rights and obligations to request an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.” California’s limited catchall exemption fails to even match Maryland’s recently enacted House Bill 964, which exempts an employer that is “conducting an investigation for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements.” Where Maryland’s law at least provides broker-dealers with some modicum of comfort that it may legally monitor its employees’ social medial activities for purposes of discharging its regulatory obligations, California’s law provides no such exemption and little comfort to the regulatory and compliance community.
- SOCIAL MEDIA PRIVACY LAWS LIKELY PREEMPTED BY FEDERAL LAW
Principles of federal preemption could potentially prevent California and other states’ law from interfering with federal regulations governing oversight by a self-regulatory organizations such as FINRA. Several cases have held that rules imposed by a self-regulatory organizations like FINRA could preempt directly conflicting state statutes when those rules have been approved by the SEC. Credit Suisse First Boston Corp. v. Grunwald, 400 F.3d 1119, 1128 (9th Cir. 2005) (“NASD arbitration rules at issue here were approved by the Commission and because the California Ethics Standards conflict with the NASD arbitration disclosure rules, the California Ethics Standards are preempted by the NASD rules”); Charles Schwab & Co. Inc. v. Fin. Indus. Regulatory Auth. Inc., 861 F. Supp. 2d 1063 (N.D. Cal. 2012) (“FINRA Rules approved by the SEC are expressions of federal legislative power and have the force and effect of a federal regulation”); McDaniel v. Wells Fargo Investments, LLC, 10-4916 SC, 2011 WL 2976784 (N.D. Cal. July 22, 2011) (“Grunwald and Chae both involved situations in which regulatory rules granted discretion to the defendant and the Ninth Circuit held that plaintiffs could not use state law to impinge upon that discretion.”). The potentiality of securing a finding that these states’ laws are federally preempted is not only costly, but it provides little comfort to broker-dealers and their legal and compliance personnel who are tasked with managing these conflicting legal and regulatory obligations over many varying jurisdictions.
- REAL WORLD SOLUTIONS?
There are several practical measures that broker-dealers may undertake to avoid running afoul of their regulatory obligations while remaining compliant with state social media privacy laws. The first, of course, is to prohibit employee use of social media, which approach in this day and age is antiquated, at best, as the world has moved rapidly into the Twittersphere.
A second approach is having a clear policy that expressly prohibits employee use of social media for business purposes, including making business-related posts. In fact, if a broker-dealer allows employees to use social media, the employer is required to implement a training program by which relevant employees are trained regarding appropriate and inappropriate posts. See Regulatory Notice 11-39, at p. 3 (Aug. 2011) (“A firm’s policies and procedures must include training and education of its associated persons regarding the differences between business and non-business communications and the measures required to ensure that any business communication made by an associated person is retained, retrievable and supervised.”). As part of this training program, employees could even be given practice scenarios so as to spot which posts could potentially implicate compliance concerns and to practice drafting posts that avoid such concerns. Admittedly this approach provides employers with no ability to monitor social media activity, but it also arguably relieves employers of any duty to monitor posts if all posts are to be social and not “business” in nature.
None of these alternatives is ideal, and firms will continue to struggle with how best to allow their registered representatives to utilize social media for business purposes while balancing the monitoring obligations they are required to undertake but which some state laws preclude. Firms would be well-advised to designate or appoint a social media liaison to stay abreast of these issues, formulate appropriate policies and procedures, oversee their implementation, monitor and adjust for compliance issues, and coordinate with legal and business executives.