State social media privacy laws a mixed bag for businesses

Laws limit access to employee's social media accounts, and that may be a good thing, legal experts say

New social media privacy laws that have been enacted in several states around the country, or those in the works, present something of a mixed bag for businesses.

While the laws generally limit companies from asking job seekers and employees for access to their social media accounts under most circumstances, they do provide some rules for when they can do so legally.

Utah on Tuesday joined a growing list of states with online privacy laws that restrict what employers can and cannot do with to regard to the social media accounts of their current employees as well as job seekers.

Utah's Internet Employment Privacy Act (H.B. 100) went into effect on Tuesday and basically prohibits companies from asking workers for usernames and passwords that control access to their personal accounts on Facebook, LinkedIn, Twitter and other social media sites. The law prohibits companies from taking adverse action, such as firing, retaliating or refusing to hire anyone that refuses to provide such information.

It allows employees to bring a private cause of action against an employer that violates these provisions and provides for fines of up to $500 for each violation.

More than half a dozen states including California, Maryland, Michigan, Illinois and Arkansas have similar laws in place. In each case the statutes were prompted by concerns that employers are becoming too aggressive in seeking the access credentials to social media accounts of job seekers and employers.

Maryland's law, for instance, was passed after a controversial incident where a state Division of Corrections worker was asked to provide his Facebook login credentials during a recertification interview.

Similarly, Michigan's law came after an elementary school teacher's aide was fired for refusing to provide school authorities access to her Facebook profile. The request came after a parent complained about seeing what they called an inappropriate photo of her on the social media site.

Others like the National Labor Relations Board (NLRB) and the Council of State Governments have also chipped in on cases involving disputes between employees and businesses over social media usage.

The Council said it has received several reports of people being asked to delete social media accounts, supply private login credentials and "friend" the human resources director or manager as a condition of employment.

The laws have raised some concern among companies in regulated industries. The Financial Industry Regulatory Authority (FINRA), for instance, is seeking exemptions in the state laws that would allow Wall Street brokers and dealers to keep an eye on the non-personal social media chatter of their employees.

According to FINRA, it is seeking the exemptions solely to ensure that when stockbrokers talk about stocks on sites such as Facebook, LinkedIn and Twitter, they are complying with their company's policies regarding such disclosure.

The laws limit a company's ability to investigate the activities of prospective or current employees on social media sites, said Scott Sweeney, an attorney at Wilson Elser Moskowitz Edelman & Dicker LLP in Denver. But at the same time, they also codify a company's rights to obtain some forms of personal login information, he said.

Under Utah's new law for instance, a company can ask an employee for personal log in information if the company provides the account or service. Similarly, an employee is obligated to provide login credentials if the social media account is used for the employer's business, or was obtained by virtue of the employment relationship, he said.

Some of the laws, like the one in Utah, also give employers the right to ask for login information when the company has specific information that an employer is using a private social media account to store or distribute company data, Sweeney said.

Such distinctions are important. In 2011, an employee working for PhoneDog, a company that serves up news on mobile technologies, refused to relinquish control of a Twitter account with 17,000 followers upon leaving the company, said Paul Paray, a partner at InformationLawGroup in New York.

In a lawsuit, PhoneDog alleged that the employee had used the Twitter account for official purposes during his employment at the company and charged him with misappropriation of trade secrets.

The new laws could have an impact on areas such as this, Paray said. For instance, they would give a company the right to ask for access credentials in situations where it hires someone to create a Twitter or other social media account that then gains thousands of followers. "If your job is to manage a social media account then employers should obviously have access to the password," he said.

Importantly, companies may actually be better off not having access to a prospective or current employee's personal social media account, Paray said.

Often such accounts may contain information on the individual's religious affiliation, ethnicity, race and other factors that cannot be used in making a hiring decision, he said. If the company later declines a hiring offer, or terminates an employee, they would be opening the door to numerous state and federal anti-discrimination claims, he said.

"You could almost argue that this is a positive thing for employers because now it cannot be imputed on you that you violated these statutes," he said.

The main takeaway for enterprises is that they should pay attention to their social media policies, Sweeney added. "From my perspective what they should be taking away from all this is that they should be reviewing their social media policies continuously," he said. "These laws are changing on a frequent basis so reviewing them with counsel or HR personnel is a wise thing to do."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecurityLinkedIntwittersocial mediainternetprivacyFacebook

More about FacebookScott CorporationTopicWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts