Michigan's New "Social Media Password Protection" Law Multiplies the Challenges for Employers Seeking to Investigate Employees' Social Media Misconduct
Joining California, Illinois, and Maryland, Michigan has enacted its own social media password protection law, which went into effect with the governor’s signing of the bill on December 28, 2012. Michigan’s law, like the others, generally prohibits employers from gaining access to applicants’ or employees’ personal social media accounts. At the same time, Michigan’s law initiates the proverbial “patchwork” of state laws in this area as it introduces important distinctions from the three state laws that preceded it. The headaches, however, are not reserved for multi-state employers trying to implement a uniform strategy for investigating reports of employees’ social media misconduct. Michigan-only employers also will need to grapple with a range of interpretive challenges.
Michigan’s new law, dubbed the “Internet Privacy Protection Act” (IPPA or the “Act”), lays down three straightforward prohibitions. First, employers cannot ask applicants or employees for the user name and password or other log-in credentials to gain access to any of the individual’s personal, Internet-based accounts, i.e., an account for which the user restricts access to content by way of log-in credentials. Second, the Act bars employers from asking applicants or employees to “allow observation of” their account, a practice commonly called “shoulder surfing.” Third, the Act prohibits employers from asking applicants or employees to “grant access to” their personal accounts, thereby baring employers from reviewing content without asking for log-in credentials and without shoulder surfing. Employers can take no adverse action against an applicant or employee who refuses a request in violation of the Act. These prohibitions apply not just to social media accounts but to all Internet-based accounts, including e-mail and cloud storage accounts. All employers, regardless of size, are subject to the Act’s restrictions.
While airtight at first blush, the IPPA’s wall around applicants’ and employees’ personal accounts is more like a sieve upon closer scrutiny. Most importantly, the Act does not prohibit an employer from asking an employee to help the employer view content in another employee’s or in an applicant’s personal account. The Act prohibits access only to the personal content of the applicant or employee who is the subject of the request. Given that employees routinely report social media conduct of coworkers that violates corporate policy or is suspected to be unlawful, this limitation is critical for employers seeking to investigate an employee’s Internet misconduct or compromising Internet postings by a job applicant.
The Act’s express exceptions also create important gaps in the facially broad prohibition. Like California’s law, the IPPA permits an employer to ask an employee for access, by any means, to the employee’s personal account as part of an investigation into workplace misconduct but only “[i]f there is specific information about activity on the employee’s personal internet account.” This exception would, for example, permit an employer to ask an employee for log-in credentials where a coworker reports a social media post that threatens workplace violence or contains racially derogatory comments about the coworker. Like the Maryland law, the Act also permits employers to request access to employees’ personal accounts if the employer has specific information that the employee is using the personal account to misappropriate the employer’s confidential business information. Finally, the Act’s prohibitions do not apply when an employer has a duty under federal law, or to comply with a self-regulatory scheme established under the Securities and Exchange Act, to screen applicants or monitor or retain certain employee communications.
Like the password protection laws that preceded it, the IPPA carefully carves out the employer’s own systems and equipment from the Act’s purview. The Act does not bar Michigan employers from requesting, in any way, access to any device or account provided, or paid for, by the employer, or from monitoring or accessing communications or information stored on employer-provided devices, communications networks, or information systems.
Importantly, Michigan’s law contains unique provisions that should serve as a model for future legislation in the area. The Act expressly “does not create a duty” for employers to search or monitor employees’ personal Internet activity and discharges employers from liability for failing to request an applicant’s or employee’s log-in credentials. In other words, the victims of workplace violence presaged by the perpetrator-employee’s ranting social media content could not assert a negligence claim against the employer based on the employer’s failure to ask the perpetrator for access to his personal social media account. While the exact contours of these provisions are unclear, they provide important protections for employers.
The IPPA’s remedial provisions, though relatively weak, do have the potential to deter violations. Most importantly from a deterrence perspective, the Act exposes individual employees to criminal prosecution for a misdemeanor offense, but the punishment is limited to a fine of not more than $1,000. Similarly, the Act’s civil remedy provisions caps damages at $1,000 and an award of attorneys’ fees and costs. Potential plaintiffs must serve a written demand on the employer at least 60 days before asserting the claim. This provision gives employers the opportunity to forestall a claim by offering $1,000 in response to a demand.
In sum, Michigan employers should be able to obtain information about employees’ Internet conduct in many circumstances where they need it. However, before investigating an employee’s or applicant’s personal Internet activity, they should carefully scrutinize the precise contours of the IPAA’s prohibitions to avoid exposing human resources professionals to a potential misdemeanor prosecution.
For additional discussion about the law, please see Littler's ASAP, Michigan's New "Internet Privacy Protection Act" Sets Limitations for Employers and Employees, by William Balke and Philip Gordon.
Photo credit: robas