Last Tuesday, Governor Jay Inslee signed into law protections in the workplace for personal social media passwords and accounts, making Washington the fifth state this year to pass such a law. In a nutshell, the bill bars employers from asking for personal Facebook, Twitter or other social media passwords during a job interview or at the workplace. It also bars employers from forcing an employee to show the employer content on a personal social networking account, or requiring co-workers to “friend” a manager so that private social networking profiles are viewable by the employer. The bill does provide an exception, however, where – during an internal investigation into possible employee misconduct – companies can require an employee to share content from a personal social networking account, based on a tip about the account.
The Key Provisions:
- The law restricts Washington employers from (1) asking an employee or applicant for personal passwords to social networking accounts; (2) engaging in shoulder-surfing so the employer can review the contents of an employee’s account; (3) asking employees to change settings on social networking accounts so that the employer could then access the account; or (4) asking employees to add them as friends.
- If an employer takes any of the above actions (such as asking for a private password), the employer is prohibited from retaliating against an employee for refusing to cooperate.
- The law includes a carve-out for employer investigations, however. The employer may request or require the employee to produce content from a personal social networking account if: (1) the employer undertakes the investigation in response to a tip about the employee’s activity on his or her personal social networking account; (2) the investigation relates to potential legal violations or work-related employee misconduct, or possible misappropriation of employer confidential, proprietary, or financial information on the social networking site; and (3) the employer does not ask for the login information.
- Employees and applicants have a new private cause of action, where they can sue employers for violation of the statute, obtaining injunctive relief as well as actual damages, a penalty of $500 dollars, and attorney’s fees and costs.
- But “buyer beware” – the statute reinforces that employees or applicants who bring frivolous actions without reasonable cause will be liable for the employer’s reasonable attorney’s fees and costs.
Potential Problems and Pitfalls:
While at first blush the law may seem like a good idea, as the old saw goes, “the devil is in the details.” Among other things, it’s not entirely clear what is covered by the term “social networking account” and it is equally unclear when an account is “personal” or “business”-related. In practice they often seem mixed. Fearless prediction: the law will create more problems than it will solve, and the courts will have to weigh in.
Problem 1: “Personal Social Networking Account” is Not Defined
Amazingly, the statute does not define a “personal social networking account.” Earlier versions had more specific definitions for what constitutes a social network. Instead, the final bill operates in the negative. First, the law does not “apply to a social network, intranet, or other technology platform that is intended primarily to facilitate work-related information, exchange, collaboration, or communication by employees or other workers.” Problem: Employers will end up litigating in each case on which side of the line the account falls – is it primarily personal or work-related? There is no easy, bright line test.
Second, the law excludes accounts that are “provided by virtue of the employee’s employment relationship with the employer … or electronic communication devices or online account[s] paid for or supplied by the employer.” “Electronic communication device” includes computers, phones, and PDAs. So, smart phones paid for or supplied by the employer are not covered, and an employer can require their passwords.
Once again, the devil is in the details. If an employer provides the employee an iPhone and pays the monthly charges for conducting work, that would seem to allow the employer access to the password and iPhone content. But here’s the rub: what if the employee has both work and personal email accounts on the work phone, as well as social networks such as Facebook or, worse, texts that mix both work and personal texting? Once the employer has phone access via the entry password, the employer may be able to gain access to all social media without further passwords. Is the social media “intended primarily to facilitate work-related communication” or not? What if the employer takes the iPhone for maintenance, the IT tech puts in the general password, and it opens to the employee’s Facebook page (which the employee keeps open), containing leaked confidential documents? Can the employer use that information?
Problem 2: “Social Networking Account” Applies to More than People May Expect
While people may think of “social networking accounts” as Facebook and Twitter, the law does not limit the statute’s breadth to such social media internet sites, but speaks generally in terms of “social networks, intranet, or other technology platforms” and “electronic communication devices,” which include computers and smart phones, DDAs, and “other such devices.” The breadth of the law is thus much broader – in effect, governing all digital content and activity, both on the Internet and stored on local devices, such as laptops and phones, not just social media. As commentators have noted, the law’s unexpectedly broad reach virtually ensures it will have unintended consequences.
Problem 3: An Employer’s Ability to Access Social Networking Content During Investigations is More Limited than Originally Portrayed
The final version of the bill resulted from negotiations between privacy advocates and business lobbyists who were worried that the new law would hamper security for proprietary or confidential information. While a prior draft of the bill allowed an employer to obtain log-in information in an investigation, the current bill only allows companies to request “content” of employee social media sites during internal investigations, which can be obtained only if an employer has received a tip that a worker may be leaking information. “In that circumstance, the employer may request the leaked content, but there is no requirement that the employee turn it over. The employer is given no more power to force disclosure of that information than exists under current law,” claims Shankar Narayan of the Washington state chapter of the American Civil Liberties Union.
But is that correct? The law does provide that an employer can “require” an employee to turn over content during an investigation, and the law does not prohibit an employer from enforcing existing personnel policies. If failure to cooperate in an investigation is “employee misconduct” for which an employee can be fired, then presumably an employer could fire an employee who refused to turn over content during an investigation. However, the commentary from the ACLU suggests otherwise.
Problem 4: An Employer Can Only Access Social Networking Content Based On a Tip
An employer’s ability to access social networking content during investigations is limited to those situations where an employer has received a tip or information about the employee’s activity on the social networking account. So, even if the employer has other reasons to suspect theft of confidential information, unless the employer has a tip that information has been posted on the social media site, the employer cannot require the employee to produce content from the site.
An employer is similarly hampered in sexual harassment or discrimination investigations. Unless the employer receives a tip that there is relevant “activity” on the personal social networking site, the employer cannot require either the accusing employee or the accused to disclose social networking content that might either prove the harassment or discrimination occurred – or exonerate the accused.
Problem 5: The Law’s Safe Harbor for Employers is Limited
The safe harbor provided by the law is quite limited. Employers who inadvertently receive log-in information through the use of an employer-provided device, or while monitoring an employer computer network, are not liable under the statute, but may not use the information to access the personal social networking account. Beyond that, the law does not give employers a “safe harbor” defense if they demand login information because they reasonably, but mistakenly, thought the account was all or primarily business-related.
What This Means For Employers:
- Do require that employees provide you with login credentials for business-related social networking accounts and other technology platforms provided by the employer, such as laptop computers and smart phones. Require providing such passwords to business-related equipment as part of your business’s general policies and procedures and have employees sign an acknowledgement of the policy when providing the passwords: they agree to providing the passwords or login credentials, they understand and agree that the social networking accounts or devices are primarily business related or provided by the employer for business purposes, and they have no expectation of privacy in the content of those accounts or devices. Be sure that you are only seeking passwords for business-related accounts or devices. If you have doubts, document at the time the reasons why the account or device is business-related, as opposed to personal.
- Amend your company policies and procedures to comply with the new law, including your investigation procedures. Train your employees on the new policies and procedures.
- Limit the number of employees under your policy who can seek password or login information to one or two managers: e.g. your IT manager or HR manager, so that those persons can be trained in complying with the new law and documenting that any requests are in compliance. Train your other managers that if questions arise, they must go to the IT or HR manager.
- Document, document, document: Document whenever an employee is requested to provide login information, and the circumstances that support the employer’s conclusion that the request complies with the law. If possible, obtain written confirmation from the employee that he/she agrees with the request (i.e. that the device or social media network is provided primarily for business-related purposes, or that the investigation resulting in the request to access social media content is based on a tip about the social networking site). Finally, contemporaneously document the tip that was received, preferably from the person sending it.
To view this new legislation, click here.