This article was initially posted by the New Hampshire Business Review and can be found here.
How State’s New Social Media Access Law Will Work
Measure gives employees privacy in their personal email and social media accounts
By J.P. Harris
A new state law imposing civil fines on employers who attempt to invade employees’ personal email and social media accounts – which becomes effective Sept. 30 – applies to accounts used by employees and prospective employees “primarily for personal communication unrelated to any business purpose of the employer.”
Employers are now prohibited from requiring employees and applicants to disclose their login information for personal accounts, a method some employers used to directly monitor communications and to observe social media activities. Employers are also prohibited from requiring employees and applicants to “like,” “friend” or “connect” with an agent of the employer so that the employer can view all posts sent or received by the employee.
The Legislature did, however, specifically enumerate activities employers may lawfully undertake. Employers are allowed to adopt and enforce “lawful” policies governing the use of the employer’s electronic resources, social networking sites and email resources. The Legislature did not define “lawful,” but it is common for employers to adopt policies expressly reserving the right to monitor any communications sent or received using the employer’s network, and the new law allows employers to continue to do so.
Therefore, if an employee utilizes a computer and Internet connection provided by the employer to access his or her personal email account or update his or her Facebook page, the employer may exercise the right to receive and view the communications.
The new law addresses only attempts to compel disclosure of login information; it does not prohibit the type of monitoring many employers currently undertake through a written policy.
The Legislature also clearly limited the scope of the new law to personal accounts. Employers may lawfully compel disclosure of login information for any account provided by the employer. In other words, if an employer supplies the employee with an email address using the company’s domain name, the employer may compel the employee to disclose passwords necessary to access the account.
The new law also allows employers to compel disclosure of login information to access “an electronic communications device … paid for or supplied by the employer.”
This creates a potential murky situation in which, for example, the employer paid for the smartphone used by the employee to access his/her personal email account. Under the statute, the fact that the employer paid for the device grants it the right to compel login information to the device, which may contain information from the employee’s personal account.
No free pass
The Legislature also empowered employers to access personal accounts to conduct investigations of employee misconduct. Where an employer receives information of illegal activity occurring on an employee’s personal account, the employer may insist on disclosure of login information to obtain relevant information from the personal account.
Similarly, if the employer receives specific information suggesting that the employee misappropriated the company’s confidential information using a personal email account, the employer may require login information to access relevant information in the personal account.
The statute indicates, however, that employers do not get a free pass to access the entire personal account, but can insist on cooperation to access only that portion of the account that might be tied to the investigation.
Whether an employer has sufficient cause to insist on accessing the personal account in a particular instance can be difficult to answer. If an employer did not have sufficient reason to insist on access to the personal account, the employer may be assessed a civil fine for threatening to discipline or disciplining the employee for refusing to cooperate with that portion of the investigation.
It has become increasingly common for employers to utilize the Internet and social media to vet applicants for employment and monitor employee activity. While surveys suggest that employers in New Hampshire are not asking for passwords to accounts, employers are very interested in what employees say about the company on social media sites.
New Hampshire’s new statute is not the only minefield for employers. The National Labor Relations Board has consistently declared unlawful any policy that might reasonably be interpreted as chilling employees’ discussions of the terms of their employment. Most attempts to prohibit employees from making negative statements about the company have been deemed unlawful. Some efforts to protect confidential information have also been declared unlawful.
Since employers must marry the recently adopted New Hampshire law with NLRB restrictions and other laws, they should take this opportunity to review their handbooks and policies for compliance in this ever-changing landscape.
James P. Harris, a shareholder at the law firm of Sheehan Phinney Bass & Green, can be reached at 603-627-8152 or firstname.lastname@example.org.