That's Private? The Employee Online Privacy Act of 2014

Are there any two words that don’t belong in the same sentence more than “online” and “privacy”? Online activity, especially social media posts, are by their nature intended for a broad audience.  But that didn’t stop the Tennessee legislature from passing the “Employee Online Privacy Act of 2014” which was signed into law by Governor Haslam earlier this year.
This new law could have an impact on employers who check an employee’s or applicant’s online activity before making a hiring, promotion, or other employment decision.

The Employee Online Privacy Act prohibits employers, including state and local government entities, from requesting or requiring an employee or an applicant to disclose online activity, like email, Facebook, and twitter accounts. Specifically, the new law prohibits employers from doing the following:

1. Requesting or requiring an employee or an applicant to disclose a password that allows an employer to access the employee’s or applicant’s personal internet account;
2. Compelling an employee or an applicant to add the employer to his or her list of contacts associated with a personal internet account;
3. Compelling an employee or an applicant access a personal internet account in the employer’s presence in a way that enables the employer observe the contents of the employee’s or applicant’s personal internet account; or
4. Taking an adverse action, failing to hire, or otherwise penalizing an employee or applicant because of a failure to disclose information or take an action specified above.

A "personal Internet account" is an online account used by an employee or applicant exclusively for personal communications unrelated to any business purpose of the employer. It doesn’t include an online account created, maintained, used, or accessed by an employee or applicant for business-related communications or for a business purpose of the employer.

In addition to setting out prohibitions, the Employee Online Privacy Act also identifies actions that employers are not prohibited from taking. Specifically, under the new law, employers are explicitly permitted to:

1. Request or require an employee to disclose a username or password required to access an electronic communications device that was provided by or paid for (in whole or in party) by the employer, or an account or service that was provided by the employer that was obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes;
2. Discipline or discharge an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal internet account;
3. Conduct an investigation or require an employee to cooperate in an investigation in certain situations;
4. Restrict or prohibit an employee’s access to certain websites while using equipment or systems provided by the employer;
5. Monitor, review, access, or block electronic data stored on equipment or a network provided by the employer;
6. Comply with a duty to screen employees or applicants before hiring or to monitor or retain employee communications as required by federal or state law, for purposes of employment in law enforcement, or for purposes of an investigation into law enforcement officer conduct performed by a law enforcement agency; or
7. View, access, or use information about an employee or applicant that public or is available in the public domain.

The law has teeth. An employee or applicant who alleges that an employer has violated the Act may file a civil action against an employer for injunctive relief and may recover up to $1,000 in damages for each violation against the individual plus reasonable attorney fees and court costs.   Additionally, the attorney general may file a civil action against an employer on behalf of an employee or applicant. If the court finds a violation, it must award the state up to $1,000 for each violation found.

The law also specifically states that it does not create a duty for employers to search or monitor the activity of a personal internet account, and states that an employer shall not be liable for a failure to request or require an employee or applicant to allow access to an employee’s or applicant’s personal internet.

The new law is effective January 1, 2015.

Next year, employers will need to exercise additional caution when reviewing an employee’s or applicant’s online activity when making employment decisions.  It is significant that the law does not prohibit employers from accessing publicly available information.  However, employees and applicants are likely to misinterpret the scope of the law’s restrictions, which could result in additional headaches for employers.

Before the law becomes effective, employers should examine their policies for accessing online information in connection with making employment decisions to ensure that the employer is following best practices that not only comply with the law but also minimize the employer’s exposure to litigation risks.

So much social media, so little time

I just read (thanks, @MollyDiBi) about an attorney in Indiana who was fired for tweeting his views on how pro-labor protesters in Wisconsin should be handled. Perhaps an employee management course is in order for him? But I digress.

I read about this shortly after giving a presentation to a client's workforce about social networking, the workplace, and the blurry line that defines who they are professionally from who they are personally.

Some employees think it's unfair that they aren't allowed to "speak their minds" on matters that are important to them. I fall into that category from time to time (more so during The University of Tennessee's football season than other times of the year). The reality, though, is that we are "followed" by more than just our closest friends on Facebook, Twitter, LinkedIn and blogs. Thus, many people don't know us well enough to understand when it is "Laura A. Steel, attorney at law" speaking versus "Laura Steel Woods, rabid UT fan" speaking.

And that's our trade-off for participating in, and allowing employees to participate in, the social media web. I'm fine with that exchange since I understand my firm's policy on taking stands and sharing views. Are your employees familiar with your policy? If you aren't sure, it's best to over-educate than to learn the hard way that someone thought her innocuous post about the Communism-inspired traffic light cameras actually stirred up a little trouble in the community.

Tweeted? Friended? MySpaced?

Feels as though I need a dictionary for my dictionary now that so many words are taking on new, techno-based meanings.

You have heard about the Twitter explosion over the last year. You probably have a Facebook page. You may even have a MySpace page, DIGG account, or bookmarks on Delicious. If you have those connections, your employees, most of them, anyway, probably do as well.

The social media push may have you examining your handbook for policy update needs. Your electronic media policy may be so broad that you're already covered. If you're not, though, hold tight before crafting an entirely separate policy. A tack-on to a computer/equipment use policy can address any privacy expectations (there are very few legitimate ones in the workplace). A sentence to your anti-harassment/-discrimination policy can cover the social media outlets.

In short, keep it short. No need to add another page to your handbook over sites meant to break communication down into 140 words or less.