More States Bar the Boss from Workers’ Social Media Sites

By Rich Ehisen, State Net Capitol Journal

Amidst concern over employee privacy rights, a growing number of states have restricted the access of employers to their workers' and job applicants' social media accounts.

As of May 22, six states this year have adopted such laws. Oregon Gov. John Kitzhaber (D) and Washington Gov. Jay Inslee (D) were the latest to sign on, inking their names to OR HB 2654 and WA SB 5211, on May 22 and May 21 respectively. They joined governors in Utah, Arkansas, New Mexico and Colorado who have signed similar bills in 2013. Those states join the four — Maryland, California, Illinois and Michigan — who first adopted the prohibitions last year (See "States move to keep workers' social media passwords away from the boss" in the June 11, 2012 issue of SNCJ).

Arkansas lawmakers actually endorsed two privacy measures this year: HB 1901, which enacts the restrictions on private sector employers, and HB 1902, which applies the protection to students and employees of public universities and colleges. Gov. Mike Beebe (D) signed both in April. New Jersey also enacted a measure that applies to schools (AB 2879). The two states constitute the fifth and sixth overall, joining California, Delaware, New Jersey and Michigan, which adopted the measures in 2012.

Bills restricting access by employers have also reached the governor's desk in Vermont (SB 7) and New Jersey (AB 2878). Vermont Gov. Pete Shumlin (D) is expected to sign his state's measures into law.

Things are less certain in New Jersey, where Gov. Chris Christie (R) conditionally vetoed AB 2878 on May 6. Many considered that measure to be the most restrictive in the nation. In addition to barring employers from asking for the access information, workers and job applicants would have been able to sue employers for even asking if they have social media accounts. In his veto message, Christie said the bill would not only bar employers from legitimately assessing a job candidate's social media capabilities at a time when such skills are often a significant part of their duties, it also would potentially open employers up to frivolous lawsuits. Although the bill originally passed with a veto-proof majority in both houses, the Assembly went along with the governor, voting unanimously on May 20 to concur with his request to drop that element of the bill. It is now in the Senate and will likely return soon to Christie's desk.

Several more states may also follow suit. Bills in Louisiana, Connecticut, Missouri, West Virginia, Texas and California have cleared at least one chamber, with all but the Texas bill (HB 318) coming via an overwhelming vote. Three (LA HB 314, MO SB 164 and WV HB 2966) were unanimous. While California already restricts password access for private sector employers, its bill (AB 25) would broaden that restriction to include public sector employers.

Overall, according to State Net, 35 states have introduced social media access restriction bills this year. Most of those adopted have generally been in line with previous successful measures. There are some variations, however. In New Mexico, SB 371, signed by Gov. Susana Martinez (R) on April 5, applies only to job seekers, not current employees. In Utah, the bill signed by Gov. Gary Herbert (R) on March 26 (HB 100) applies to both public and private sector employers.

The bills adopted in Oregon, Washington and Utah also bar employers from "shoulder surfing" — forcing the worker to log into their account and then looking at the site over their shoulder — or from requiring the worker or applicant to "friend" the employer so the employee's page is then viewable. Bills signed in Colorado and Arkansas have no such limitations.

Some measures also allow employers limited ability to seek out what is on an employee's Facebook or Twitter account. The Illinois House, for instance, has endorsed HB 1047, which would amend the current Prairie State law to allow employers to ask for an employee's personal social media access information if that worker uses the site for business purposes. The measure, which would grant the workers the right to reject the request, is awaiting a vote in the Senate. Another measure, SB 2306, would amend the state's current law to specify it pertains only to blocking employer access to an employee's or job applicant's personal social media accounts, not those sponsored by the company.

New laws in Colorado, Washington, Utah and Arkansas also contain the "investigation exception," which allows employers to ask for the access information if they suspect a worker is using it to leak proprietary information. But there is a variation in how they are applied. In Washington, for instance, employers may still request content from a worker's social media account if an investigation reveals there is a legitimate reason to do so. Even so, the worker may decline the boss's request, while workers in other states may not.

Privacy advocates have hailed the slew of new restrictions. In a statement, Washington Sen. Steve Hobbs (D), who authored SB 5211, noted technological advances that allow mass information sharing have made it that much more critical to guard that information.

"Privacy shouldn't be a thing of the past that we are forced to sacrifice every time technology moves forward" he said.

But the laws also raise questions. For one, in spite of a high number of media stories on the issue, there is scant evidence that many employers ever ask employees or job applicants to surrender their log-ins. Most media references in fact cite a single 2010 case in Maryland involving a Department of Corrections employee who was ordered to surrender his Facebook information as a condition of rehire after taking a leave of absence. The employee complied but later contacted the state chapter of the American Civil Liberties Union, which challenged the policy. That led to legislation last year making the Old Line State the first to block the practice.

"The vast majority of these stories are only anecdotal," says Philip Gordon, an attorney with the Denver office of Littler Mendelson, where he chairs the Privacy and Data Protection Practice Group. He points to a 2012 survey his firm did of nearly 1,000 C-level executives, human resource managers and legal counsel from companies across the nation with capitalization up to $4 billion that indicated 99 percent of companies don't seek out such information.

There are other concerns as well. So much variation now in state law, Gordon says, will make it much harder for multi-state employers to be in compliance. It also makes it likely there will be legal challenges to some of the laws' tenets.

"In states where shoulder surfing is not explicitly forbidden, would a court rule that it is permitted or that an employer is just trying to find a cute way around these laws?" he asks. "And what about Twitter accounts? Some of these laws bar an employer from asking an employee to friend them on Facebook. Does that mean the boss also can't ask for the workers' Twitter handle, which is otherwise public information? Some of this will ultimately come down to how a court interprets the law."

It is conceivable it could also end up being decided in Congress. A group of lawmakers in the U.S. House of Representatives has introduced legislation with their own social media access restrictions, HR 537, the Social Networking Online Protection Act (SNOPA). Unlike state measures, SNOPA would apply to both employers and schools.

The bill's chances, however, are unclear. An earlier version of the bill from lead sponsor Eliot Engel (D-NY) died quietly last year when Congress adjourned without voting on it. Another Democrat, Rep. Ed Perlmutter of Colorado, took his own swing at the issue in April by adding an amendment to HR 624, the Cyber Intelligence Sharing and Protection Act (CISPA), an omnibus cybersecurity bill. While House lawmakers approved the bill, they rejected the amendment.

— By RICH EHISEN