Remember last year when everybody on Facebook got all upset because some employers and colleges were asking applicants for social media passwords, and then judging them by what they had posted? State lawmakers around the country spotted an election year issue they could relate to, and quickly started passing laws prohibiting employers and educators from demanding social media passwords.
There was lots of celebrating over the backlash, and online activities congratulated themselves on taking a stand for employee privacy. But maybe the giant sigh of relief heard around the Twitterverse about preserving privacy came just a bit too soon. It turns out that even the more restrictive privacy laws have exceptions that still let companies see what’s in an employee’s personal social media account. Most of them, in fact, just protect job applicants – not those who already have jobs.
There are three situations in which most working Americans can be required to provide complete access to their personal social media accounts – plus two more that can come back to bite nearly anyone, anytime. They are:
- An employer-provided device or service
- Agreed policies or employment contracts
The two that can come back to bite nearly anyone, anytime are court orders and frenemies. If a court orders you to turn over social media passwords, or provide access to your social media accounts as part of a lawsuit, you must comply.
You can find yourself the subject of a court order anytime you are involved in some kind of legal action, or are being investigated by law enforcement authorities or a company that believes you have done something wrong. If you’ve been injured on the job, in a car accident, or in any other situation where an insurance company is challenging payments to you, you might as well just expect them to access your social media accounts. The chances that they won’t are miniscule.
You may be told that a court order has been issued, or if there is a criminal complaint pending or you are being investigated by a government agency such as Medicaid, the IRS, or a regulatory agency that enforces rules in your industry, they may go directly to the company which has the data — your Internet Service Provider, Google, Facebook, Tumblr, etc. — and get the information that way. Rarely, companies will ask for access, and your attorney can argue against it, but courts in some places (like one in my home state) have tended to grant the requests without allowing notice to prevent people from deleting material that could be damaging.
Most people are surprised to find out that there’s no rule against your friends sharing something you posted with your employer or an investigator, bill collector, or law enforcement agency. Sometimes, they don’t even realize that they could be getting you in trouble — maybe they thought it was funny, so they shared it with someone at work or with a friend of theirs who was no friend to you.
It’s even legal for companies and government agencies to pay your friends or offer them an incentive to share your social media accounts with them if they can’t get access to your information another way. Once you share a photo, a post, or anything else via social media, the people you gave permission to access it can show it to anyone they like. All they have to do it take a photo of the screen, and email it to someone — or simply hand over their device and let the “interested party” browse to their heart’s content. This is how stupid criminals get caught when they post photos of themselves with stolen goods, and its also how many cheating spouses are caught.
So don’t post anything on any social media site — not even those restricted to “friends only” — unless you are comfortable with what you post being shared with your employer and anyone else.
Employer Provided Device or Service
There is no such thing as a free phone or laptop. The rules on what’s “private” and what isn’t change dramatically when an employee accesses the Internet from a device provided by the employer (such as a company-owned cell phone) or on a service provided by the employer (such as the company’s broadband network, or on a virtual private network or wireless service paid for by the employer or reimbursed by the employer). Remember that if you travel on behalf of your employer, and use a broadband connection in a hotel room your hotel pays for, that may also be “employer provided service”.
Some states allow the employer access to any account, site, or document – including those in a personal email account or social media account accessed from the device or service – if your employer pays for the device or the service. And some regulations — notably FINRA (banking, financial services and insurance workers), HIPAA (healthcare), and FERPA (education) — do not recognize any difference between online and social media activity conducted in conjunction with a job, and activities conducted on a personal account.
So in most cases, you must turn over passwords and all data and content on all accounts (personal and business) if you work in a regulated industry or if your employer buys your phone, reimburses for your cell phone service, or provides the Internet connection you’re using.
Nearly every law passed regarding social media passwords allows an employer to get access to an employee’s social media account as part of an investigation – and there are few limits on what the investigation is about. California has one of the most restrictive password laws out there, but it allows access to employee personal accounts is the information is “reasonably believed to be relevant to an investigation of employee misconduct” so long as the “social media is used solely for purposes of that investigation or proceeding.” (Cal. Labor Code Section 980).
Note the wording here. The social media account does not actually have to be related to the investigation – just that management has to “reasonably believe” that it might be. I feel certain (with no hard evidence one way or another) that courts would apply a “reasonable employer” standard similar to the “reasonable person” standard applied in self-defense cases. So a creepy manager who just wants to stalk employees online can’t get away with it.
As a practical matter, courts usually give companies wide discretion to investigate employee misconduct – and, of course, employers decide what misconduct is (and is not) in the first place.
Ignore the part of the law about using the information “solely” for the purpose of the investigation. It doesn’t mean a thing, since most investigations into potential misconduct are about whether or not someone should be fired.
Luckily, some states have other laws that restrict how employers can discipline or terminate employees for off-duty conduct, so most employers will likely not take the “investigation exception” to give them carte blanche to search through employee social media accounts. But I won’t be counting on any legal protections for my social media accounts. I live in Texas, an “employment at will” state, where a company can fire an employee for anything, or nothing at all.
Employment Agreements and Policies
Employment contracts have been around for centuries, and so have employment policies. (Think about the oaths of fealty medieval knights swore to barons: they were in part an agreement about the rights, privileges, and responsibilities that went along with the job.) As employees become more concerned about privacy, many are negotiating privacy rights, ownership of social media accounts, and access to data as part of the employment contract.
There’s nothing wrong with a company creating and enforcing policies on how employees use social media. One of the exceptions in the privacy laws is that employers can access an employee’s social media account to see if the employee is violating the company’s social media policy. At least there are rules on what a company can put into a social media policy in the first place.
Even in a right-to-work state like Texas, the “pre-union” rules apply – so an employer can’t have a policy that prohibits an employee from talking about what it’s like to work for the company, including criticizing management policies, working conditions, pay, or discussing workplace safety issues. This doesn’t mean you can say anything you want about your boss or your job and still keep the job, just that there are some protections available to employees.
So take time to read your company’s social media policy. Chances are it prohibits you from doing things you shouldn’t do anyway, such as disclosing company secrets relating to products or processes, violating securities laws, violating regulatory rules, or breaking the law (copyright or trademark violations, defamation, etc.).
If you are an employee, and worry about your social media and online privacy, here are some practical steps you can take to protect yourself.
- Keep it out of the office. Don’t access social media sites from a device or network owned by your employer. Just don’t do it. Pay for your own network access – or use a public WiFi service outside your workplace – and use your own cell phone, tablet, or home computer to do it.
- Know what laws apply to you. For example, I work as a consultant to a company based in California – but California’s protections for workers do NOT apply to me. I am governed by the laws of Texas, which favor employers.
- Understand your employment agreement and company policies about online activities related to your job, and those that apply to your personal use of online services. Don’t sign a stack of papers without reading them – and if you don’t understand it, don’t sign it. If you have an online alter-ego that’s incompatible with your employer’s business, keep it to yourself. This is more than “don’t ask, don’t tell”, it’s more like, “don’t tell, don’t hint, and don’t even think about disclosing.”
If you are an employer, err on the side of not trying to control too much of what your employees do online. The courts are beginning to rule that if you try to control it, you have to pay for monitoring and enforcing those rules for everyone on your workforce – and you could be volunteering to assume responsibility for what your employees do online.
- If you have a bring-your-own-device policy, use a third-party management tool with mobile device management (MDM) capabilities to protect your company’s information stored on employee-owned devices, and don’t cross the “partition” between personal and company data on those devices – not even in the event of a data breach or lost device, when you activate a remote wipe of company data.
- Don’t be so eager to use social media in hiring or promotion decisions that you make mistakes. Do your homework on what policies are legal in the state where your employees work – especially if you have “virtual” employees who work in another state – and make sure that you aren’t crossing the line between personal and professional conduct in your human resources decisions. The goal is risk management – so don’t go so far that you take on more risk than you have to.
- Block access to problem sites from your company servers and networks. There are few companies where access to website devoted to games, porn, dating, or politics is a job requirement – so avoid problems and save bandwidth by having an internal or external IT manager install filtering software that blocks those sites.