Oregon State Bar Bulletin MAY 2014
On Jan. 1, 2014, Oregon’s new social media “password protection” law, House Bill (HB) 2654, went into effect. The law protects the social media privacy rights of job applicants and employees, and it applies to all Oregon employers, however large or small. As a result, it is of consequence not only to employment law practitioners, but to any law firm that has employees. Boiled down to its essence, HB 2654 makes it unlawful for an employer to:
1. Request that a job applicant or employee disclose his or her password to a social media account;
2. Compel an employee or applicant to add it to a contact list associated with a social media account — e.g., to add the employer as a LinkedIn “connection” or a Facebook “friend”;
3. Compel an applicant or employee to access her password-protected social media content in the presence of an employer representative, so that he may view it (a practice referred to as “shoulder surfing”); or
4. Retaliate against or penalize an applicant or employee in any way for refusing to disclose a password, refusing to “connect” or refusing to allow an employer representative to “shoulder surf.”
HB 2654 is part of a wave of “password protection” laws that have been enacted throughout the country within the past two years.1 This wave of legislation was prompted by Associated Press (AP) reports that that circulated in early 2012, describing incidents in which employers demanded job applicants’ log-in credentials — or “shoulder surfed” their social media accounts — as a regular part of conducting background checks for prospective employment.2
The AP reports provided no evidence that these practices were widespread.3 Still, there is no question that HB 2654, like similar laws passed in other states, was enacted with admirable purpose: empowering employees to keep their personal social media lives separate from their work lives, when they so choose.
A Law of Unintended Consequences?
Unfortunately, while HB 2654 has an admirable purpose, there are some serious problems with the way it was drafted. Consequently, it could end up harming employees more than it protects them and imposing much greater costs and liabilities on employers than the legislature ever intended.
This article explores three of the most serious issues raised by HB 2654. Ultimately, the true impact of the law will depend in large measure on how the courts end up resolving these issues. Until then, this article offers some suggested strategies that employers and employees might utilize to mitigate the problems created by the law’s uncertainties.
How Will HB 2654 Affect Ownership of Nonpublic Social Media Content?
One of the most important exceptions in HB 2654, which might be described as the “employer account” exception, provides that an employer may compel an employee to disclose a password to a social media account if the account has been “provided by” the employer or is “to be used on behalf of the employer.” This exception, although important to protect employer rights, is so broadly worded that it could have the perverse effect of forfeiting an employee’s control over personal information contained in a social media account that he or she created.
To understand how this might occur, consider the following hypothetical:
The law firm Dewey, Cheatum & Howe decides that its associate attorneys (who are its employees) need to do a better job pulling their weight when it comes to bringing in new business. In conjunction with broader marketing initiatives, the firm implements a new policy requiring its associates to actively promote the firm’s services by regularly posting, on their LinkedIn accounts, short articles concerning recent legal developments of significance to the firm’s clients. Associate John Doe had already set up a LinkedIn account before joining Dewey. However, on the date the firm announces the new requirement, he has not actively used the account for several months. Over the next year, however, he complies with the firm’s new requirement and posts a topical legal article on his account at least once each month. He rarely accesses the account for any other purpose.
It would seem that the LinkedIn account Mr. Doe created before joining Dewey now exists primarily “to be used on behalf of the employer.” Consequently, HB 2654, read literally, now authorizes Dewey to compel Mr. Doe to disclose the password that he uses to access the account, thereby allowing Dewey to access and appropriate information that Mr. Doe might understandably prefer to keep private — including, among other things, the contents of private email messages that he has sent and received via LinkedIn’s servers. Although this result may seem antithetical to the core purpose of the law, it may nonetheless be the “correct” interpretation of HB 2654 if it is the interpretation that the bill’s plain language demands.4
To avoid being placed in the unfortunate situation of our hypothetical Mr. Doe, an employee who is asked to use his social media account for work purposes, might consider two different options: a) set up a separate account exclusively for work purposes, and avoid storing or transmitting any data on that account that he does not want his employer to view; or b) ask his employer to explicitly acknowledge, in writing, that his use of his account for work purposes will not give the employer the right to access any nonpublic content stored in the account.
Employers, for their part, should not assume that they gain the right to demand passwords and access employee-created accounts simply because the accounts have been used for work purposes. Even if HB 2654’s “employer account” exception allows this (and we cannot know for certain until the courts interpret it), such conduct might still violate federal laws like the Stored Communications Act (18 U.S.C. §§ 2701, et seq.). Therefore, if an employer wishes to have access to social media accounts used to promote its products or services, it should set up new accounts to be used specifically and exclusively for such promotional purposes. The employer should obtain a signed acknowledgement from each employee who uses such an account that: a) its contents are the employer’s exclusive property; b) it can access the account at any time; c) the employee must promptly disclose the password for the account upon request; d) the employee has no expectation of privacy in any information stored in the account; and e) the account is to be used for work purposes only.
How to Interpret the Term Compel
HB 2654 makes it unlawful for an employer to compel an employee to add it as a social media contact. However, the law does not define the term compel. This raises the question of how broadly will courts interpret the term.
A second hypothetical — again involving our perennial whipping-boy, Dewey – may help shed light on the nature of the problem:
At the all-attorney meeting at which Dewey’s new marketing initiatives are announced, Dewey’s marketing director “strongly encourages” associates to build their networks on their LinkedIn accounts. The first thing each associate should do, she emphasizes, is to make sure they send an “invitation to connect” to every partner at the firm with a LinkedIn account. About six months later, in the course of collecting information for associate Jane Roe’s annual review, Ms. Roe’s supervising attorney asks the marketing director how Roe has progressed in her social media marketing efforts. The marketing director relates that Ms. Roe’s efforts have been lackluster, at best. Specifically, Ms. Roe has not sent a single invitation to connect to a partner of Dewey. The supervising attorney, but for this report, would have given Ms. Roe a 4 out of 5 on the “business development” category of her review. However, she instead gives her a 3, noting that Ms. Roe “should increase her efforts to meet the firm’s expectations with respect to its social media initiatives, starting by sending invitations to connect on LinkedIn to each partner of this firm.” After reading this criticism, Ms. Roe immediately sends invitations to connect to every partner at Dewey with a LinkedIn account.
Do the facts of this hypothetical suggest that Dewey has violated HB 2654’s prohibition against “compelling” an employee to add it as a social media contact? Quite possibly. After all, the partners at Dewey are undoubtedly Ms. Roe’s “employers.” Moreover, Ms. Roe could plausibly argue that she felt “compelled” to send them LinkedIn invitations, given the prospect of once again being downgraded on her review if she failed to do so.
To avoid the potential liability that our hypothetical Dewey firm now faces, employers should train all supervisory staff and marketing personnelon the new law, with the aim of ensuring that no employee feels compelled to add any higher-level employee or firm partner or business owner as a social media contact. At a minimum, this will involve: a) cautioning marketing personnel against advising employees whom in the firm they “should” or “must” add as social media contacts to help promote their services; b) advising supervisors not to retaliate against a subordinate in any way for rejecting a social media invitation; and c) explaining to any person with any role in performance evaluations that he or she must completely disregard whether an employee has accepted or rejected social media invitations from his or her superiors (or evaluators) when giving input about the employee’s performance. Finally, employers should explain to all management employees the inherent, unavoidable perils associated with sending social media invitations to subordinates or any employees below them in the company hierarchy.
How to Interpret the Term Employer
HB 2654 makes it unlawful for an employer to retaliate against or penalize an employee in any way for rejecting the employer’s social media invitation. This raises the question, for purposes of HB 2654, how much authority must a supervisor have over a subordinate to be deemed to be acting as the “employer”? The answer will determine when an employer may be held vicariously liable for its supervisory employees’ personal violations of HB 2654.
Unfortunately, HB 2654 itself leaves the question unresolved, and Oregon case law provides little guidance. As a result, employers should prepare for the worst-case scenario: that even the lowest-level supervisor might ultimately be deemed an “employer” for purposes of HB 2654, exposing her employer to potential vicarious liability for her individual actions. The following hypothetical might help illuminate the nature of the risk:
Patricia Prickly is a lead worker on Acme Widget’s production line. Anne Umbrage is an entry-level production worker on that line, working under Ms. Prickly’s supervision. Ms. Prickly does not have the authority to fire, demote or discipline Ms. Umbrage, or take any action that would tangibly affect the terms of her employment. However, she does direct Ms. Umbrage’s day-to-day activities, determining how much time Ms. Umbrage will spend on the various tasks performed by workers in her position. In addition, she provides feedback to management regarding Ms. Umbrage’s performance, which is incorporated into Ms. Umbrage’s performance reviews. After a few weeks on the job, Ms. Prickly, who believes that she and Ms. Umbrage have become fast friends, sends Ms. Umbrage a “friend request” on Facebook. Ms. Umbrage, who actually dislikes Ms. Prickly intensely, rejects the request. Immediately thereafter, Ms. Prickly begins to assign Ms. Umbrage the odious task of widget polishing (viewed as the worst task on the line, due to the rancid smell of polish) with increasing frequency, and more often than she assigns that task to other employees under her supervision. In addition, Ms. Prickly reports that Ms. Umbrage has a “poor attitude” when her input is solicited for Ms. Umbrage’s performance review.
Has Acme just violated HB 2654’s prohibition against taking “any action to … penalize an employee” for her refusal to add the employer as a social media contact? Well, if Ms. Prickly qualifies as Ms. Umbrage’s “employer” for purposes of HB 2654 — which is possible if the courts end up adopting an expansive approach to vicarious liability under the new law — then it probably has.
To avoid the possibility that the actions of even low-level “leads” like Ms. Umbrage might result in vicarious liability, some businesses may be tempted to adopt what might be called “Facebook Nonfraternization” policies, prohibiting any employee with any supervisor authority whatsoever from requesting that any subordinate add him or her to a social media contact list. Adopting such a policy seems like a bad idea, though, for at least two reasons: 1) it would inevitably have a negative effect on workplace morale and provoke staff resentment; and 2) to the extent the policy impedes social media communications to or from supervisory employees who fall outside the fairly restrictive definition of “supervisor” under the National Labor Relations Act, the National Labor Relations Board might view it as running afoul of Section 7 of the NLRA, which protects the rights of nonmanagement employees (i.e., nonsupervisors) to “engage in … concerted activities for the purpose of mutual aid and protection.” See 29 U.S.C. § 152(11) (defining supervisor), 29 U.S.C. § 157 (regarding concerted activities). Still, if certain employers choose to adopt nonfraternization policies nonetheless, in an understandable reaction to HB 2654’s open-ended anti-retaliation provisions, this would represent another instance in which the law — directly contrary to its purpose — actually provokes more interference in employees’ personal social media lives, instead of less, by prompting some employers to declare social media relationships between subordinates and supervisors completely off limits.
Instead of overreacting by imposing nonfraternization policies, however, employers are better served to put into place universally applicable social media policies that include the following provisions, among others: a) with the exception of employer-owned accounts, no employee will be asked to provide a password to an account, compelled to add the employer (or any supervisor) to a contact list, or compelled to access password-protected social media content in the presence of a supervisor or employer representative; b) an employee is free to reject a social media invitation sent by any coworker or superior, and will suffer no negative job consequences as a result; c) an employee who feels he or she has been penalized for rejecting a social media invitation, or opposing any other practice prohibited by HB 2654, should complain to human resources or another designated representative; and d) engaging in any prohibited retaliation, or other violation of the policy, will subject the violator to serious discipline.
Such provisions, properly implemented and enforced, will allow employers to effectively mitigate the potential new liabilities created by HB 2654, without being overbearing.
There is no one-size-fits-all approach to implementing policies in response to HB 2654. However, this article offers some baseline suggestions for achieving compliance with the new law. Regardless whether a particular employer decides to go beyond these suggestions and implement additional safeguards against liability, thinking through the issues and making sure good policies and practices are put into place — rather than waiting until something goes wrong and undertaking an ad hoc response — is of utmost importance. An employer may wish to involve an experienced employment law attorney in this process. Sound legal advice can only help in navigating HB 2654’s hidden landmines.
1. Other states that have enacted similar legislation at the time of this writing include Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Jersey, New Mexico, Nevada, Utah and Washington.See www.ncsl.org/research/telecommunications-and-information-technology/employer-access-to-social-media-passwords-2013.aspx (a summary from the National Conference of State Legislatures of the status of “password protection” legislation in each state that has considered a bill on the issue) (accessed March 11, 2014).
2. See, e.g., www.co.uk/news/article-2111059/Colleges-jobs-asking-Facebook-email-passwords-job-interviews.html?ito=feeds-newsxml and www2.timesdispatch.com/news/2012/mar/28/aclu-warns-state-police-social-media-checks-applic-ar-1798387/
3. Actually, the results of at least one nationwide poll suggest that such practices are so vanishingly uncommon that the current wave of password-protection legislation represents the consummate “solution looking for a problem.” See Phillip L. Gordon, Amber M. Spataro, and William J. Simmons,Social Media Password Protection and Privacy – the Patchwork of State Laws and How it Affects Employers, Littler Report (May 2013), available at:www.littler.com/files/press/pdf/WPI-Social-Media-Password-Protection-Privacy-May-2013.pdf.
4. There is a strong presumption under Oregon law that a statute’s plain language should be given effect, even if extrinsic evidence suggests that the legislature might have meant something different than what it actually said in the statute. See State v. Gaines, 346 Or 160, 172 (2009) (“a party seeking to overcome seemingly plain and unambiguous text with legislative history has a difficult task before it”).
ABOUT THE AUTHOR
Dan Webb Howard is an employment law attorney and appellate practitioner with the law firm of Gleaves Swearingen, located in Eugene.
© 2014 Dan Webb Howard