Illinois’ New “Facebook Password” Law May Create a Host of Unintended Consequences for Employers
August 2, 2012
Earlier this spring, the Illinois General Assembly amended the Illinois Right to Privacy in the Workplace Act, making it unlawful for an employer to ask a current or prospective employee to provide login information to their social media accounts or profiles.
Yesterday, Governor Quinn signed the amendment into law. The Act, which will take effect on January 1, 2013, makes Illinois the second state to ban employers from seeking access to employees’ and applicants’ social media information. Maryland has already passed a similar law, while dozens of federal and state legislatures and agencies consider following suit. The law prohibits employers from: 1) requesting or requiring that any employee or applicant provide their passwords, or “related account information,” to any social networking site to an employer who wants to gain access to that account; or 2) demanding access “in any manner” to an employee’s or applicant’s account or profile on a social networking website. This broad language means that, unless the information is already shared publicly, employers can no longer seek access to social media content, even if their request has nothing to do with the anecdotal concerns that led to the Act’s passage.
One aim of the Act—to protect applicants from turning over social media passwords—is unlikely to generate much controversy. As FR attorney Jeff Nowak recently cautioned in the Chicago Tribune, requesting passwords to social media accounts and profiles is not good business for a host of reasons: it exposes employers to discrimination claims, internal administrative burdens and an accusation of being tagged, ‘Big brother.’
However, the new law likely results in serious, unintended consequences, particularly for employer investigations and regulatory compliance. Increasingly, employees use personal social networking sites for business-related purposes, such as communicating with other employees or with customers and suppliers. In the higher education and public school contexts, professors and teachers often use social media to communicate with students and parents. Because the Act includes no exceptions to the ban on requesting social media passwords, it may prevent employers from investigating serious misconduct, such as harassment in the workplace or teacher sexual misconduct. Unfortunately, the hastily considered Act contains no exclusions for these types of workplace misconduct investigations.
The Act may also prevent public employers from fulfilling their duties under the Illinois Freedom of Information Act (FOIA). As we reported in a recent FR alert, the Illinois Attorney General has held that text messages sent by city officials on their personal cell phones were subject to FOIA because they were “used by” the public body, even though the public body argued that the records were not in its possession or control. Under the same reasoning, messages by an employee on a personal social networking account could be considered to be “used by” the public body and subject to a FOIA request. Yet, under the Act, a public employer would be prohibited from requiring access to those same records.
Similarly, the Act could prevent employers from responding to discovery requests in litigation, where an adverse party was seeking relevant evidence contained in an employee’s social networking account. One prominent discovery consultant’s survey located thousands of court cases in state and federal courts in the past two years on subjects ranging from employment-related litigation to insurance claims to general business litigation that involved evidence from social media outlets. Given these uncertainties, employers should take care when conducting investigations and responding to FOIA and litigation requests so as to not unintentionally violate the Act.
In light of the new statute, employers are well advised to review their social media and information technology policies to ensure they meet the Act’s mandate. Employers still maintain the right, however, to monitor and restrict use of social media and other information technology in the workplace.