Social media is now everywhere and, today, more and more employees access personal social media sites like Facebook, Twitter, and Instagram during the workday. In addition to wasting time, employees can put employer data at risk by using third-party file-hosting services to store company data and/or by posting company information on personal social media accounts.
To control social media uses, many employers have responded with policies and requirement designed to address social media’s risks. But employers should beware. A growing number of states have enacted workplace data privacy laws that specially impact how employers control of employee’s social media use. In addition, a federal court recently addressed an employer’s potential liability under federal law for accessing an employee’s social media account.
As a result, employers face increased difficulty—and potential exposure—when crafting privacy and cybersecurity policies to address the risks posed by employee use of social media. Despite an ever-changing social media and legal environment, in-house counsel must address these risks both quickly and carefully. In particular, counsel should pay close attention to new laws and emerging trends that stress the importance of an employee’s privacy.
State data privacy laws
Privacy and cybersecurity policies must protect company confidences while also ensuring that company personnel do not inadvertently violate a data privacy law. The National Conference of State Legislatures reports that, to date, workplace data privacy legislation has been introduced or is pending in 28 states. More than a dozen states have already enacted workplace data privacy laws.
Employers in these states face significant liability if they fail to comply with these laws. For example:
- Under Maine’s “Social Media in the Workplace” law, if an employer requires an employee to disclose login information for a social media account or personal e-mail account, the employee may institute a private civil action and recover three times any lost wages, civil damages up to $1,000, and attorney’s fees. Maine’s law further empowers the state’s attorney general to enforce sanctions.
- On May 23, 2014, Louisiana Governor Bobby Jindal signed the Personal Online Account Privacy Protection Act. Under the Act, an employer may not “[r]equest or require an employee or applicant for employment to disclose any username, password, or other authentication information that allows access to the employee’s or applicant's personal online account.” “Personal online account” includes any online service that an employee “uses exclusively for personal communications unrelated to any business purpose of the employer.” In short, under Louisiana law, employers may not ask for, nor require employees to disclose, private Facebook or Twitter account access information.
In addition to Maine and Louisiana, California, Delaware, Illinois, Utah, and Wisconsin are among states that protect an employee’s use of social media.
Exceptions to state data privacy laws
Despite their strict penalties, state data privacy laws do have their exceptions. An employer will be excused from liability in certain situations. For example:
- Under Louisiana’s new law, employers do not face liability for “[c]onducting an investigation or requiring an employee or applicant to cooperate in an investigation . . . [i]f the employer has specific information about an unauthorized transfer of the employer's proprietary information, confidential information, or financial data to an employee’s or applicant's personal online account.”
- Pursuant to Utah’s Internet Employment Privacy Act, no prohibitions exist against an employer “disciplining or discharging an employee for transferring the employer's proprietary or confidential information or financial data to an employee's personal Internet account without the employer's authorization.”
These types of exceptions complicate the drafting of a comprehensive policy governing employee use of social media, especially when a company has employees located in a variety of states. Differing standards of workplace data privacy protection make the task of creating an effective, allowable social media policy that much harder.
Case law interpreting the stored communications act
Employers must also consider federal law. The federal Stored Communications Act (SCA) imposes civil liability on those who obtain unauthorized access to “a facility through which an electronic communication service is provided.” See Ehling v. Monmouth-Ocean Hospital Service Corp, 961 F. Supp. 2d 659 at 665 (quoting 18 U.S.C. §§ 2701(a)) (D.N.J. 2013).
In Ehling, a non-profit hospital service corporation disciplined one its employees, a registered nurse, for posting an inflammatory comment on her Facebook wall. The nurse alleged that the employer’s accessing of the post violated the SCA.
Ultimately, the district court granted summary judgment to the employer on the SCA claim. The district court reasoned that while the employee’s “non-public Facebook wall posts [were] covered by the SCA,” the employer was not liable under the SCA because undisputed evidence showed that the employer obtained the post via a voluntary disclosure by one of the employee’s colleagues. The employee failed to produce any evidence showing that her colleague “provided [the] information [to the employer] in exchange for compensation (or some other benefit).” The court concluded that the employer obtained the Facebook post without “coercion or pressure” and awarded summary judgment to the employer.
Note, however, that the Ehling court indicated that employers who do use coercion or pressure to access an employee’s social media account or non-public postings may face significant liability under the SCA, as well as under state law.
When drafting a privacy and cybersecurity policy, counsel must strike a balance between an employee’s use of social media and an employer’s need for legitimate data protection. Writing a policy is difficult, given the constantly evolving nature of social media, state data privacy laws, federal law, and the considerable lack of controlling judicial precedent. Nevertheless, cases like Ehling and the growing tide of state legislation make clear that in-house counsel cannot ignore the task, nor the potential liability new social media data privacy law creates.
The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.