On January 1, 2013, new Illinois legislation will go into effect, which will limit employers' ability to gain access to employees' or job candidates' social media content. The legislation, HB3782, bars employers from requesting or requiring any employee or prospective employee to provide a password or related social networking account information. After news reports early this year talked about employers insisting on seeing job candidates' Facebook pages or disclosing their login credentials as a vetting mechanism, state legislatures have introduced bills to prohibit this conduct. For a copy of HB3782, click here.
HB3782 adds a new subsection(b) to Section 55/10 of Chapter 820 of the Illinois Compiled Statutes. Subsection (b) says it is unlawful for an employer to request or require a password or other related account information from an employee or prospective employee in order to access his or her account or profile on a social networking website. "Social networking website" is a defined term in the statute. It is also unlawful for an employer to demand access in any manner to an employee's or candidate's social networking account or profile.
The legislation has three important exceptions. First, HB3782 does not bar workplace policies regarding the use of theemployer's electronic equipment. This exception applies to policies covering Internet usage, social networking site usage, and email usage. Under this exception, an employer could require disclosure of social networking login information if it is used on a company-issued device, but not for an employee's own device. Companies with "Bring Your Own Device" (BYOD) policies could not require disclosure of social media login information used on employees' devices.
Second, the legislation does not limit an employer's right to monitor usage of the employer's electronic equipment or email, provided that it does not request or require the disclosure of social media login information. Interestingly, this exception would permit password sniffing or keystroke logging on the employer's equipment that reveals an employee's social media login credentials. Nonetheless, as with the previous exception, employers would not be able to monitor the use of devices belonging to employees (or job candidates), as would be the case with BYOD policies.
Finally, the legislation does not bar employers from obtaining access to public domain employee information. Presumably this exception would cover items posted by the employee or candidate on publicly-accessible social media pages. The legislation is focused on requests or demands communicated to the employee for login credentials or access to social media pages, such as private pages. What the employer does by itself via a search engine or searches of publicly-available social media pages is not covered.
Interestingly, HB3782 is focused on "social networking websites." These days, it is common for people to access social media via apps on their mobile devices. The statute does not expressly cover an employer demanding access to a social networking app. Nonetheless, the definition of "social networking website" says it is "an Internet-based service" that has certain characteristics. Since social media apps on the mobile Internet are an "Internet-based service," the definition is likely broad enough to cover mobile apps. Also, the popular social media apps, such as Facebook, are also accessible on websites. Accordingly, a judge is likely to say that an employer cannot circumvent the law by demanding access to an employee's mobile device in order to see private content on his or her Facebook app.
Companies with Illinois employees or job candidates should reexamine their human resources policies to ensure compliance with the new legislation. Moreover, they should add HB3782 to their list of HR training topics to make sure that recruiters and hiring managers comply. Finally, employers should take HB3782 and similar applicable legislation into account when establishing employee privacy, acceptable use, and mobile device policies and practices.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP
http://www.ckwlaw.com/Information-Security-and-Privacy-Law-Resources/