New Mexico and Utah are joining California, Illinois, Maryland and Michigan in limiting employers’ access to social media accounts.

A new law signed by New Mexico Governor Susana Martinez makes it illegal for employers to request or require an applicant to provide his or her password, or demand access in any manner, to the applicant’s social media accounts or profiles. The statute appears to apply only to prospective employees, not current employees. The new law (SB 371), signed April 5, 2013, will be effective beginning July 1, 2013. 

The New Mexico law makes clear that the following employer activities are not affected by the new statute:

  • having electronic communication policies in the workplace addressing Internet use, social networking activity and e-mail;
  • monitoring use of the employer’s information systems and networks; and
  • using information that is publicly available on the Internet (although there may be other risks to employers engaging in these activities, such as learning about an applicant’s family medical history, under other laws, e.g., the Genetic Information Nondiscrimination Act). 

Utah Governor Gary R. Herbert has signed the state’s “Internet Employment Privacy Act” (IEPA) into law. The new law, signed March 26, 2013, is effective beginning May 14, 2013. Under the IEPA, employers are prohibited from asking an employee or applicant to disclose the username and password to access his or her “personal Internet account,” as well as taking adverse action against the individual for refusing to make the disclosure. 

According to the IEPA, “personal Internet accounts” are online accounts used by an employee or applicant “exclusively for personal communications unrelated to any business purpose of the employer.” The statute excludes from its prohibition accounts that are “created, maintained, used, or accessed by an employee or applicant for business related communications or for a business purpose of the employer.”

There are specific exceptions, including:

  • Employers may request or require employees to provide their usernames and passwords to enable the employer to access smartphones and other devices issued or paid for, in whole or in part, by the employer, as well as those to online accounts provided by the employer.
  • Employers may discipline employees for making unauthorized transfers of proprietary or confidential company information or financial data to the employee’s personal Internet account.
  • Employers are not prohibited from viewing, accessing, or using information that is publicly available on the Internet (although there may be other risks to employers engaging in these activities, such as learning about an applicant’s family medical history, under other laws, e.g., the Genetic Information Nondiscrimination Act).

Employees and applicants may sue employers for violating the IEPA. Damages are limited to $500 per violation. (For more details on the IEPA, please see Utah Enacts “Internet Employment Privacy Act”.) Governor Herbert also signed the “Internet Postsecondary Institution Privacy Act,” applying similar restrictions on postsecondary institutions with respect to their students and prospective students. 

In this developing legal area, employers need to keep on top of developments and ensure their managers and supervisors are trained so they know their limitations in attracting, managing and disciplining employees.