In late September, California joined the growing number of states enacting laws precluding employers from taking action against employees and job applicants who refuse to turn over their social media passwords without some form of justification. Such laws should hardly come as a shock. The thought of an employer compelling employees or job applicants to hand over their passwords for no business purpose other than to snoop into the their personal affairs makes little sense. It does, however, show the hysteria that is overtaking some employers when it comes to social media.
Notwithstanding the fact that there have been only a handful of actual cases in which employees have caused real (as opposed to imagined) damage to their employers through their social media postings (e.g., revealing company confidential information like product development plans), businesses seem ready to take the risk of lawsuits, adverse publicity, and seriously undermining morale in compelling their employees to grant access to those postings. The new laws do nothing more than force reasonableness back into the equation.
Legislatures are not saying a business cannot get access to social media postings under any circumstances. They are simply saying that there must be some legitimate purpose (i.e., investigating workplace misconduct) before doing so.
In my last post, I discussed the need to think carefully before collecting data. Trolling through mountains of social media postings, some of which may be extremely private, in the hope of finding something potentially relevant to the company falls squarely into that discussion. Businesses that fail to consider their actions may find themselves exposed to potential liability (including possibly violating the online terms and conditions for the social media services, violating the privacy rights of third parties that have sent private communications to the employee through those services, etc.). I suggest the better approach to mitigating risk arising from employee use of social media is to conduct training for employees so that they understand what they can and cannot post online (e.g., not reveal company proprietary or confidential information, not make use of company materials, etc.).