Monday, November 11, 2013

Social Media's Password Law Teapot Tempest

As of November 2013, 12 states have passed so-called ‘social media password’ laws. These laws are designed to prevent employers from asking existing employees or prospective applicants for their credentials to access their social media sites. The intent of the laws is to prevent employers from prospectively, and possibly erroneously, getting an idea of the behavior, opinions, lifestyle or actions or existing or prospective employees so as to, ostensibly, determine their current or future merit as employees, and, I guess, to pre-judge whether or not this person truly represents the ‘values of the company’. Companies are still free to view social media pages of people that have no restricted access on their sites, have information that is publicly available, are open to all, or are voluntarily offered by the employee/candidate. (As an amusing aside, the names of the laws range from the innocuous and vague – ‘Internet Privacy Protection Act in Michigan’ – to the laser-focused and definitive – ‘User Name and Password Privacy Protection Act’ in Maryland.)

Since mid-2012 there has been what I can only define as a legislative vogue as states trip over each other to pass these kinds of laws. I wonder: is there really some kind of epidemic among employers or HR departments asking employees or interviewees for their social media passwords? You would think there was by the kind of activity you see in state legislatures on this topic. The issue began in Maryland from a case where an interviewer requested a Division of Corrections officer’s Facebook account information during an interview after the officer returned from a leave of absence. Rumor has it that the request was more of a demand that the officer surrender his credentials, or lose his job. You might reasonably wonder why we need laws like these when people are perfectly happy to post and tweet all kinds of self-sabotaging things about themselves and their opinions on a variety of topics without any kind of restrictions or privacy controls in place.

So really, why the need for laws to eradicate the scourge of social media password requests like it’s the polio of our age? First, demagoguery aside, I think the drive is primarily perception. It shows that politicians who are often accused of doing nothing can actually show some bi-partisan cooperation once in a while and pass a law benefiting their constituents. Second, it makes the politicians look like they are in-tune with technology and are addressing real-time concerns about issues that real people can relate to.

So what’s the fuss? I think most companies (finally) realize that protecting their employee’s privacy is as important and relevant as protecting the data of their customers. You want to send the right message to employees that ‘we care about you’, yes? (FYI to HR Depts: You know, that kind of stuff does help attract the right talent). Altruism aside, the concern of many companies, especially those in the financial services and academic worlds is the conflict that some of the existing laws have on employee oversight vs. employee privacy. Most states have an exception to the law if the request is related to an investigation of alleged employee/student misconduct or illegal activity or to ensure “compliance with securities or financial law and regulations.” But not in all cases! In fact, not in Maryland, Michigan or New Jersey. For example, once cooler heads prevailed and the New Jersey law was amended, a provision in the law originally said that no access to employee social media was allowed “in any way.” This significant restriction would have posed an enormous challenge for financial institutions that must oversee and audit (per the SEC or FINRA) what their registered representatives are saying to customers about financial products, returns, performance, etc. If access to what your employees were saying (possibly as a representative of your brand!) is not able to be monitored and reviewed, how could an institution reasonably say that they were providing supervision of their employee’s actions?

In a worst case scenario for employers who operate in multiple states, they may have to one day decide: whose law do I violate? The State of Maryland’s or the SEC? So far, this case has not been tested in a court of law. Once it does, the teapot may just bubble over.

No comments:

Post a Comment