Social Media Privacy Legislation and Its Implications for Employers and Employees Alike

• Publication year: 2019
• Author: By Robert B. Milligan, Daniel P. Hart and Sierra Chinn-Liu

SOCIAL MEDIA PRIVACY LEGISLATION AND ITS IMPLICATIONS FOR EMPLOYERS AND EMPLOYEES ALIKE

By Robert B. Milligan, Daniel P. Hart and Sierra Chinn-Liu¹

I. INTRODUCTION

According to the Pew Research Center, approximately seven-in-ten Americans use social media to connect with one another, engage with news content, share information and entertain themselves.² YouTube and Facebook are the most widely used online platforms: these two platforms, respectively, are visited by 73% and 69% of Americans every day.³ Sites and applications such as Twitter, Instagram, LinkedIn, and SnapChat also garner substantial daily use.⁴

Social media clearly influences and permeates our daily lives—and the workplace is no exception. Companies frequently conduct business via social platforms, and employees often use social media on the job for both personal and work-related reasons.⁵ The pervasive use of social media, however, creates a tension between the rights of employees to personal privacy on the one hand, and the needs of companies on the other, to protect corporate intellectual property, comply with regulatory reporting requirements, guard against cyber threats, and maintain appropriate systems and data management practices.

To address these concerns, starting in 2012, twenty-six states enacted social media privacy laws that prevent or limit employers from requesting passwords to current or prospective employees' personal internet and social media accounts.⁶ In varying degrees and differing ways, these laws directly impact an employer's ability to request or require an applicant or employee to disclose his or her username and/or password; to open his or her internet or social media accounts in the presence of a supervisor; to add a representative of the employer to the employee's contact list; or to otherwise alter the privacy settings associated with the employee's internet or social media accounts.⁷ Many of the laws include a right of action to an employee subjected to statutory social media privacy violations, and provide various forms of relief—including, but not limited to, money damages, penalties, injunctions, and attorneys' fees. One state (Michigan) has even gone so far as to make it a misdemeanor for an employer to violate its social media privacy statute.⁸

[Page 83]

Most social media privacy laws contain liability exceptions and safe harbors for employers, however. For example, a number of state laws only affect access to "personal" social networking accounts, i.e., those accounts which employees do not use for employer business. Many such laws also allow account access by employers, albeit in limited circumstances, such as during investigations into employment-related misconduct or theft of employer data, or to permit access to employer-owned equipment or information systems. Some state laws authorize mandatory employer access to employee internet or social media accounts for required self-regulatory employee screening—such as, for example, broker screening under NASD and FINRA rules. And, a number of state social media laws provide immunity to employers for "innocent discovery" of protected information during ordinary network monitoring, or to employers who decline or fail to demand access to protected accounts.

A chart summarizing the variations among these state laws appears at the end of this article. Because of their relatively recent enactment, however, there is virtually no case law interpreting the applicability, sweep, or limits of these state social media privacy laws. This article highlights some of the issues that employers may face, and that courts may need to grapple with, as they undertake compliance with these state laws. Such issues include:

[Page 84]

• Whether a user's internet or social media account is a "personal" account to which employer access may be limited or prohibited—especially in states (such as California) where the social media law does not define the term.
• The permissible scope of an employer investigation that authorizes (or requires) employer access to employee internet and social media accounts;
• Implications for employer intellectual property and trade secrets, including employer vs. employee ownership of social media account-related information;
• Discovery disputes involving employee social media content; and
• The potential interaction between state social media privacy laws and other laws, such as the federal Computer Fraud and Abuse Act.

II. KEY ISSUES

A. What Does the Term "Personal" Mean in Social Media Legislation?

Many states, including California, Colorado, Nevada, and Washington, have passed social media privacy laws that do not define the term "personal." Although the state laws discussed in this article generally apply only to "personal" social media accounts, the failure by some state legislatures to define the term is problematic, as it can be unclear who in fact owns the particular accounts at issue in the absence of an express policy or agreement governing social media.

Based on recent court decisions in these states, employers likely have at least some ownership rights to an employee's social media account, even if the account is used for both employment-related and non-employment-related purposes, specifically where the employer played an important role in creating, maintaining, or developing the account.⁹

Employers could potentially evade the applicability of similar privacy laws by detailing in employee job descriptions company ownership of work-related accounts. By requiring employees to use such accounts in accordance with job descriptions and proprietary information protection agreements, an employer can attempt to ensure that company social media accounts "belong" to the company for purposes of the employer protections afforded by the relevant state social media privacy statute(s).

B. Bring Your Own Device Policies

Employers are likely to face related issues resulting from bring your own device ("BYOD") policies. When an employee uses his or her own device to access company email, files, or other information, the employer does not "own" the device, but may still have an interest in the business-related information residing on the device and protecting that information. Public employers in particular have a heightened interest in restricting employees' use of personal devices to conduct official business. See Nissen v. Pierce Cty., 183 Wash. 2d 863, 869 (Wash. 2015) (en banc) (holding that text messages sent and received by a public employee in her official capacity were public records, even though she was using her personal cell phone).

[Page 85]

An effectively written BYOD policy may protect an employer's interest in data accessed on an employee's personal device. A policy that clearly informs employees that all company-related information on the device will remain the sole property of the company, and that the company retains the right to delete company data through the use of monitoring software, may help to establish an employer's control over the information on an employee's personal device, so as to distinguish it from purely "personal" information that may be subject to the reach of an applicable state social media statute.¹⁰

C. Protectable Trade Secrets

State social media privacy laws may conflict with recent decisions about whether social media content (e.g., contact/customer lists) may be an employer's protectable trade secrets.

1. "Trade Secrets" Defined

Information and data are protectable under the Uniform Trade Secrets Act ("UTSA")—effective in 48 states—if the information derives value from being kept secret, is a secret, and is kept a secret. In the two states that have not yet adopted the UTSA, New York and Massachusetts, similar protections are provided through the state's common law. Information is kept secret if its owner takes affirmative measures to prevent its unauthorized disclosure, including but not limited to, the following: non-disclosure, restricted-use, and mandatory-return agreements; confidentiality stamps; limited internal distribution and access permissions; and password protection of computers and other devices. These efforts need only be "reasonable under the circumstances"; "absolute" secrecy is not required.

Although there are no bright-line rules for whether information is protectable as a trade secret, courts generally find that information is a trade secret where (i) the information is the result of a substantial investment of time, effort, and expense; (ii) it generates independent economic value for its owner; (iii) it is not generally known in the relevant industry; (iv) it cannot easily be accessed by legitimate means; and (v) it cannot be independently reverse engineered without significant effort and expense. Experience reveals that in many cases, the more egregious a defendant's theft of an alleged secret, the more likely a court will find that the stolen data qualifies as a trade secret.¹¹ This is the case not merely because of the court's desire to punish egregious behavior, but because an employee's theft and subsequent use of stolen data or information tends to reflect the independent economic value of the stolen information, and also tends to show that the information was not publicly available.¹²

[Page 86]

2. Potential Impact on Account-Content "Ownership"

Social media privacy laws also raise questions about account-content ownership (e.g., LinkedIn connections)—especially where, as in several states, the social media privacy statute does not define what is meant by "personal" internet or social media account information.

The Cellular Accessories and PhoneDog cases, discussed Section II.A., above, held that an employee's LinkedIn account (Cellular Accessories and Eagle) and Twitter feeds (PhoneDog), may "belong to" the employee's employer, due primarily to the employer's investment of time and expense in developing and maintaining the accounts at issue. Similarly, in Ardis Health, LLC v. Nankivell, No. 11 Civ. 5013 (NRB), 2011 WL...