Workplace Privacy Counsel : San Francisco Employment Privacy Law Lawyer & Attorney : Littler Mendelson Law Firm : Employment Related Privacy Issues

The New Jersey bill adds a new prohibition not seen in any prior law that actually could be detrimental to job applicants and employees. Specifically, employers cannot “[i]n any way require or request that a current or prospective employee disclose whether the employee has a personal account.” Consequently, were an employer to search publicly available social media content for information about an employee or applicant and discover negative information that might relate to the applicant or employee, such as racist comments or a predilection for sex with minors, the employer could not ask whether the account where the content is posted is, in fact, the applicant’s or employee’s personal account. Moreover, if the employer does inquire and the applicant or employee refuses to confirm or deny whether he or she posted the offensive social media content, New Jersey’s law would make it a violation for the employer to then take adverse action based on the individual’s refusal to respond. In other words, the employer would be worse off if it tried to “do the right thing” and attempted to verify the authenticity of information that, if true, would lead to an adverse employment action.

The New Jersey bill also has the most generous remedial scheme. “Facebook” laws in Maryland and California do not expressly provide a private right of action. By contrast, the New Jersey bill confers a private right of action on applicants or employees to recover unlimited compensatory and consequential damages. While the laws in Utah and Michigan  also confer a private right of action, damages are capped at $500 and $1,000 per violation, respectively. Illinois’ law does not cap damages; however, it requires that applicants or employees first attempt to resolve their complaint through the state labor department. No such administrative exhaustion requirement applies under the New Jersey bill.

To be sure, once the bill is likely enacted, it will not entirely handcuff New Jersey employers from performing investigations and background checks necessary to run a safe and efficient operation without running afoul of the law.  However, before investigating information present on an employee's or applicant's "personal account," human resources professionals are encouraged to seek guidance from inside or outside counsel to ensure compliance with this proposed law.  If approved, the law will go into effect on the first day of the fourth month following its enactment.

Photo credit: robas

Michigan’s new law, dubbed the “Internet Privacy Protection Act” (IPPA or the “Act”), lays down three straightforward prohibitions. First, employers cannot ask applicants or employees for the user name and password or other log-in credentials to gain access to any of the individual’s personal, Internet-based accounts, i.e., an account for which the user restricts access to content by way of log-in credentials. Second, the Act bars employers from asking applicants or employees to “allow observation of” their account, a practice commonly called “shoulder surfing.” Third, the Act prohibits employers from asking applicants or employees to “grant access to” their personal accounts, thereby baring employers from reviewing content without asking for log-in credentials and without shoulder surfing. Employers can take no adverse action against an applicant or employee who refuses a request in violation of the Act. These prohibitions apply not just to social media accounts but to all Internet-based accounts, including e-mail and cloud storage accounts. All employers, regardless of size, are subject to the Act’s restrictions.

While airtight at first blush, the IPPA’s wall around applicants’ and employees’ personal accounts is more like a sieve upon closer scrutiny. Most importantly, the Act does not prohibit an employer from asking an employee to help the employer view content in another employee’s or in an applicant’s personal account. The Act prohibits access only to the personal content of the applicant or employee who is the subject of the request. Given that employees routinely report social media conduct of coworkers that violates corporate policy or is suspected to be unlawful, this limitation is critical for employers seeking to investigate an employee’s Internet misconduct or compromising Internet postings by a job applicant.

The Act’s express exceptions also create important gaps in the facially broad prohibition. Like California’s law, the IPPA permits an employer to ask an employee for access, by any means, to the employee’s personal account as part of an investigation into workplace misconduct but only “[i]f there is specific information about activity on the employee’s personal internet account.” This exception would, for example, permit an employer to ask an employee for log-in credentials where a coworker reports a social media post that threatens workplace violence or contains racially derogatory comments about the coworker. Like the Maryland law, the Act also permits employers to request access to employees’ personal accounts if the employer has specific information that the employee is using the personal account to misappropriate the employer’s confidential business information. Finally, the Act’s prohibitions do not apply when an employer has a duty under federal law, or to comply with a self-regulatory scheme established under the Securities and Exchange Act, to screen applicants or monitor or retain certain employee communications.

Like the password protection laws that preceded it, the IPPA carefully carves out the employer’s own systems and equipment from the Act’s purview. The Act does not bar Michigan employers from requesting, in any way, access to any device or account provided, or paid for, by the employer, or from monitoring or accessing communications or information stored on employer-provided devices, communications networks, or information systems.

Importantly, Michigan’s law contains unique provisions that should serve as a model for future legislation in the area. The Act expressly “does not create a duty” for employers to search or monitor employees’ personal Internet activity and discharges employers from liability for failing to request an applicant’s or employee’s log-in credentials. In other words, the victims of workplace violence presaged by the perpetrator-employee’s ranting social media content could not assert a negligence claim against the employer based on the employer’s failure to ask the perpetrator for access to his personal social media account. While the exact contours of these provisions are unclear, they provide important protections for employers.

The IPPA’s remedial provisions, though relatively weak, do have the potential to deter violations. Most importantly from a deterrence perspective, the Act exposes individual employees to criminal prosecution for a misdemeanor offense, but the punishment is limited to a fine of not more than $1,000. Similarly, the Act’s civil remedy provisions caps damages at $1,000 and an award of attorneys’ fees and costs. Potential plaintiffs must serve a written demand on the employer at least 60 days before asserting the claim. This provision gives employers the opportunity to forestall a claim by offering $1,000 in response to a demand.

In sum, Michigan employers should be able to obtain information about employees’ Internet conduct in many circumstances where they need it. However, before investigating an employee’s or applicant’s personal Internet activity, they should carefully scrutinize the precise contours of the IPAA’s prohibitions to avoid exposing human resources professionals to a potential misdemeanor prosecution.

For additional discussion about the law, please see Littler's ASAP, Michigan's New "Internet Privacy Protection Act" Sets Limitations for Employers and Employees, by William Balke and Philip Gordon. 

Photo credit: robas

Subsequently, the California legislature, often hostile to employer interests, amended its then-pending bill to adopt a more balanced and reasonable approach. The approved bill does generally prohibit employers from requesting or requiring that employees or applicants (a) disclose their user name or password to gain access to personal social media content; (b) access their personal social media in the employer’s presence, i.e., permit “shoulder surfing;” or (c) divulge any personal social media, which apparently would bar an employer from asking an employee to provide the personal social media content of a co-worker who is a Facebook friend. At the same time, however, the pending law permits employers to request that “an employee divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations.”

While this exception is a vast improvement over the Illinois and Maryland laws, California employers should beware that the exception does not open the door all the way. To begin with, the exception does not apply to job applicants. Thus, even if a current employee were to report seeing racist or threatening content on a job applicant’s restricted access social media site, a California employer still could not gain access to the troublesome social media content unless the reporting employee voluntary provided it. In addition, employers remain barred from asking current employees to disclose their social media log-in credentials or to permit the employer to “shoulder surf.” Nevertheless, the exception does permit California employers to ask a co-worker to provide content from the personal social media site of an employee suspected of misconduct.

California employers also should note that the California law, like the Illinois and Maryland laws, appears to have an unintended and unsupportable consequence in the context of litigation. These statutes impose no restriction on an employer’s ability to request in civil discovery that a former employee produce personal social media, log-in credentials; however, all three statutes bar such requests in litigation with a current employee. Obtaining log-in credentials can be important in employment litigation so that employers’ counsel can confirm that the current or former employee has produced all discoverable information posted on his or her restricted-access social media page.

California’s pending password protection law has another unusual twist. The bill expressly relieves California’s Labor Commissioner from having to investigate complaints that the law has been violated, whereas the Labor Commissioner is required to investigate certain other violations of the Labor Code. The pending law itself also does not create a private right of action. Consequently, it remains unclear what remedies an employee could pursue were the Labor Commissioner to decline to investigate.

Employers should expect other states to enact this form of popular legislation. If the password protection laws that are on the horizon are to follow California’s more balanced approach rather than the draconian Illinois law, employers and employer groups will need to highlight the critical distinctions between the two laws through participation in the legislative process.

Photo credit: Asilvero

Despite the absence of a proven need, the Illinois bill imposes apparently broad restrictions on employers. The bill prohibits an employer from “request[ing] or require[ing] any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website.” The bill also forbids employers from “demand[ing] access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.”

While the first prohibition is clear enough, the scope of the second is ambiguous. The second prohibition appears to be aimed at “shoulder surfing,” i.e., an employer’s asking an applicant or employee to log into a social networking site without revealing log-in credentials so that the employer can review the site. Similarly, this prohibition appears to reach an employer’s asking an employee or applicant to print a hard copy of his or her own social networking site or to e-mail screen shots of that site to the employer. Assuming this prohibition is intended to reach such conduct, it remains unclear whether the prohibition applies only to content posted on the applicant’s or employee’s own social networking site or extends to the restricted social networking sites of co-workers who are not the subject of the request.

To put the ambiguity into sharper focus, consider the following scenario. An employee reports to his human resources manager that a co-worker, who is a Facebook friend, has commented on his own wall, which is restricted to “Friends Only,” that he is so angry at the company he could “blow the place up.” The Illinois law appears to prohibit the HR manager from asking the reporting employee to permit the HR manager to view the posting co-worker’s post on the reporting employee’s own newsfeed and from asking the reporting employee to print a hard copy of the post or to e-mail a screen shot of the post to the HR manager. The Illinois law also appears to prohibit the HR manager from asking the posting co-worker for access to his social networking site so the HR manager can investigate the reporting employee’s allegation. However, it is unclear whether the Illinois law would prohibit the HR manager from asking the reporting employee, without disclosing his own log-in credentials or any information on his own news feed, to access the posting co-worker’s “Friends Only” Facebook wall so the HR manager could corroborate and further investigate the allegation.

While this point, at first blush, may appear to be hair splitting, it is critical for employers because the Illinois law contains no exception for legitimate workplace investigations. In fact, the Illinois law contains no exceptions at all to its general prohibitions. Instead, the law merely emphasizes that it is not intended to restrict an employer’s right to promulgate policies regulating use of the employer’s own electronic resources or from monitoring usage of the employer’s own electronic resources, including e-mail. The bill also expressly states that it does not apply to “information that is in the public domain,” i.e., social networking sites for which the account holder has not used privacy settings to restrict access. However, this limitation provides little aid to employers as applicants and employees increasingly activate privacy settings to restrict access to their social media accounts. In sum, the Illinois law shuts off most, if not all, access by employers to a potentially important source of information when conducting legitimate investigations into misconduct related to work, such as workplace violence, unlawful harassment, and misappropriation of trade secrets.

The absence of any exceptions to the general prohibition in the Illinois bill highlights another challenge for employers raised by this new genre of workplace regulation. The Maryland law contains exceptions for investigations of suspected securities fraud violations and suspected misappropriation of trade secrets. While these exceptions themselves are overly narrow, their absence from the Illinois bill suggest that the states are beginning to weave yet another inconsistent patchwork of laws that will further complicate for employers the already daunting challenge of regulating new technology in the workplace.

The law’s numerous and broad exceptions will limit its impact. Significantly for the financial services sector, the law expressly excludes banks, insurers and surety companies from its coverage by excepting them from its definition of “employer.” The following categories of positions also are excluded from the law’s coverage:

• Positions involving access to sensitive information;
• Positions involving unsupervised access to cash or marketable assets valued at more than $2,500;
• Positions with signatory power over business assets of $100 or more per transaction;
• Managers who set the direction of or control a business;
• Positions for which the employer is required by law to obtain a bond;
• Positions for which state or federal law or regulation establishes credit history as a bona fide occupational qualification; and
• Positions for which the employer is required by law to obtain credit history.

The first exception is particularly broad given the many different types of information to which it applies. More specifically, Illinois employers can obtain credit reports and credit history from applicants or employees whose position involves access to any of the following categories of information: (a) sensitive information that a customer gives the employer explicit authorization to process; (b) sensitive information that an employer entrusts only to managers and a select few employees; (c) sensitive information that is secured so as to make it inaccessible to the public and low-level employees; (d) non-public information about the employer’s overall financial direction, including company tax and profit and loss reports; (e) sensitive information regarding an employer’s overall strategy or business plans; and (f) information that would jeopardize national or state security if publicly available. The statute does not define the term “sensitive information” and, therefore, appears to leave the determination of sensitivity to the employer’s reasonable discretion.

When taken together these exceptions appear to permit credit checks on large swaths of an organization’s workforce. At a minimum, all senior executives, in-house attorneys, human resources professionals, and finance department employees, virtually all information technology employees and managers with money-handling responsibilities appear to fall within the scope of the law’s exceptions. By contrast, most lower-level employees — except perhaps customer service positions involving access to sensitive customer information — likely would be covered. Each employer will need to conduct its own analysis to identify the categories of Illinois employees from whom credit information can lawfully be obtained and considered in employment decisions.

For further analysis of this development, see Littler ASAP "New Illinois Law Puts Credit Reports and Credit History Off Limits for Most Employers and Most Positions" by Philip L. Gordon and Jeffrey C. Kauffman.

This entry was written by Philip L. Gordon.

Photo credit: contour 99