Privacy laws that protect employees at work historically have
been considered sparse and virtually toothless. Only employers that
engaged in brazen acts of surveillance or intrusion into
employees' narrow "zones of privacy" faced liability.
While privacy protections have ballooned in the consumer,
healthcare, and telecom sectors over the last decade, employee
privacy rights largely stood frozen. As a result, businesses paid
little attention to workplace privacy compliance obligations. That
time has passed.
Like the seemingly benign Trojan Horse in which hid an elite force
to attack an unsuspecting enemy, the growing wave of employee
privacy laws are far more expansive than they appear on the
surface. Indeed, because some of these laws do not even sound like
they contain employee privacy protections, they are often ignored.
Other privacy laws have "top line" compliance obligations
that are easily met, but contain ambiguities and public policy
consideration that invite expansive judicial interpretation. One
such Trojan Horse privacy law that recently emerged protects
employees' social media accounts from employer access.
Employee social media protection laws clearly are in vogue. In the
last two years, over half the states have enacted or introduced
statutes that generally prohibit employers from requiring employees
to disclose passwords to their social media or personal web
accounts and protect employees from discipline or termination if
they refuse. To the chagrin of multi-state employers, the patchwork
of state laws vary widely in scope: some prohibit employers from
even "suggesting" that employees disclose their passwords
or change their privacy settings; some prohibit unauthorized
viewing of private accounts; and some permit requests for account
access to investigate theft, harassment, or other workplace
misconduct. A common thread of these laws, however, is braided from
a public policy view that employees have the right to shield their
private on-line activities from their employers' eyes.
As noted above, an employer's "top line" compliance
obligations for most password protection laws are straightforward
– do not request applicants or employees to disclose their
social media passwords unless the applicable statute provides an
exception in your circumstances. Remember, however, we are dealing
with Trojan Horse privacy laws that contain hidden risks.
One such risk stems from a company's reliance on outdated
employee computer monitoring policies. Nearly every private sector
employer has a policy notifying employees that they have no
expectation of privacy when using company computers, phones, or
electronic devices, and that their usage can be monitored at any
time, for any reason, without notice. Robust electronic monitoring
policies continue to have enormous value, but they are not
impenetrable barriers to employee privacy claims. In fact,
excessive reliance on an outdated computer monitoring policy can
blind your company to the risks posed by the new password
protection laws.
Consider a supervisor who is burning to know what his employees are
saying about him on their private social media accounts or blogs,
which they regularly access on company computers. Armed with an
"ironclad" computer monitoring policy, the supervisor
logs into his employees' work computers and reviews their web
browsing history, including social media activity. How far can the
supervisor go under the protection of the computer monitoring
policy? If the supervisor limits his review to the actual social
media pages the employees accessed on company computers, that is
unlikely to generate a viable claim. However, what if the
supervisor gains access to the employee's social media account
because her work computer saved her password credentials and then
snoops around? Under that scenario, the supervisor may be able to
see the employee's social media content she never
viewed while she was at work or new
content that she created after she left work.
Another Trojan Horse privacy risk hidden in social media protection
statutes can arise with far less effort and by personnel with no
authorization to access other employees' computers. Rather than
directly asking the "target" employee to turn over his
social media password, the supervisor asks a co-worker
"friend" with authorization to view the target
employee's account to log in and show the content to the
supervisor. Whether this "friend" provides the supervisor
with the target employee's private social media content
voluntarily, under threat of termination, or completely on his own
volition because he dislikes the target employee will impact the
liability equation.
Critically, however, under these scenarios the employee's
privacy interests in her social media content have been
compromised, even though the supervisor never requested or required
the employee to provide her password. It does not take a visionary
to predict how some courts will view these backdoor tactics to
access private employee social media content in light of the
underlying policies of the password protection statutes. There is
your Trojan Horse.
There is no one-size-fits-all solution to minimize every
employer's risk of exposure under the new social media
protection statutes. Among the best practices to consider include:
analyzing the specific laws and compliance obligations that apply
to your organization in light of its locations, size, technology,
and culture; designing and implementing clear electronic
monitoring, password protection, and
BYOD policies that consider those factors; blocking employee
access to certain sites; and initiating regular training and
auditing protocols as the law and technology develop. Employee
privacy laws are no longer embryotic; they've grown teeth, and
the threat is real.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.