The Just-Signed New Jersey Law

On Thursday August 29, New Jersey Governor Chris Christie signed revised legislation, namely A.B. 2878, which, among other restrictions, forbids employers to ask applicants or employees for their social-media or other online logins/passwords.  A few months back, on May 6, Gov. Christie had conditionally vetoed a prior iteration of the bill, asking that it not rein in employers so much.

For example, the Governor sought — and ultimately obtained by an August 19 unanimous vote — amednments that would allow employers to conduct various types of investigations and not prohibit “an employer interviewing a candidate for a marketing job  . . . from asking about the candidate’s use of social networking so as to gauge the candidate’s technological skills and media savvy.”

Similar Laws in Force in a Dozen Other States

New Jersey joins the following 12 other states that have enacted similar bans during since May 2, 2012:

 Already in force:

       Arkansas; California; Colorado; Illinois; Maryland;

       Michigan; New Mexico; Utah; Vermont; and Washington


 — Taking effect soon: 

      Nevada (10/1/13); and Oregon (1/1/14)

Some of those states’ statutes contain very broad prohibitions.  Others, like Michigan’s and New Jersey’s, grant employers some exceptions, usually encompassing workplace investigations.
Delaware has also enacted an analogous ban, which, although not directed at employers, focuses on universities vis-a-vis students.
For a very good recent article on the various approaches the states have taken, see Philip L. Gordon and Joon Hwang, Making Sense of the Complex Patchwork Created by Nearly One Dozen New Social Media Password Protection Laws, Workplace Privacy Counsel (July 2, 2013).

Controversy re: These Login/Password Bans

The wave of state legislation in this context is  a privacy victory for employees, job seekers and/or students.  But, from the  management perspective, many have criticized the stricter of these laws as addressing a discrete (non-)issue with a blunt instrument approach. See, e.g., Molly DiBianca, Michigan Enacts Social-Media Privacy Law, Delaware Employment Law Blog (Dec. 30, 2012).

Others have noted that a greater priority should be a modernization of the federal Electronic Communications Privacy Act (“ECPA”). Behnam Dayanim, Employee Privacy Forces Legislation, Recorder (Aug. 8, 2012) (“these ‘bullet bills’ … represent a missed opportunity both to update the SCA to reflect today’s technology and to re-engage . . . over the broader policy questions.”) (LEXIS ID and password needed).

Indeed, the federal Stored Communications Act (SCA) — Title II of the ECPA — of is sorely in need of an update as its outdated provisions do not come close to addressing modern technology and 21st century methods of electronic communications. The SCA was passed in 1986 to try to address that new-fangled technology known as voicemail.

The only amendment to the SCA since its 1986 inception was via the USA PATRIOT Act, hastily passed just weeks after 9-11 to make it easier for prosecutors to obtain from Internet Service Providers the missives of potential terrorists. The SCA’s sister provision, the Wiretap Act — now Title I of the Electronic Communications Privacy Act (ECPA) — has barely been changed since way back in 1968, when wiretapping on phone calls was the primary concern.

Note, though, that the SCA has been interepreted many times by various federal courts to criminalize and provide civil damages for anyone who illictly obtains an individual’s login credentials and then accesses a password-protected online environment. See Robert D.Brownstone, eWorkplace II White Paper (Apr. 3, 2012), at 19-20 (.pdf pp. 24-25).

But see also this brand new piece, Philip L. Gordon, New Jersey Court’s Decision Provides Roadmap For Access To Employees’ Restricted Social Media Content, Workplace Privacy Counsel (Aug. 27, 2013), which addresses a recent decision in a case whose prior opinion was discussed in Venkat Balasubramani, Accessing an Employee’s Facebook Posts by “Shoulder Surfing” a Coworker’s Page States Privacy Claim — Ehling v. Monmouth Ocean Hosp., Eric Goldman Blog (June 4, 2012).

As to a reboot of the ECPA for the 21st century, of course none of us — including our state legislators — can force Congress’ hand.

Congress Asleep at the Switch with SNOPA (why didn’t they call it “SNOOPA”?)

 Speaking of Congress, don’t hold you breadth for the oft-threatened ECPA reboot.   As in the notice-of-data-breach 
 context, the states have jumped in to fill the void in this arena because of Congress’ inaction.   On the federal level, the
 “Social Networking Online Protection Act” (SNOPA) was introduced in the House as H.R. 5050 on April 27, 2012 and
 reintroduced on February 6, 2013.  But the bill has languished with no activity since then.

Two Dozen More State Bills Pending

 Approximately two dozen states have pertinent pending 2013 legislation (linking to 2012 legislation compilation).
 Some of those states are considering entering the fray for the first time.  Others — California, Delaware, Illinois and Maryland —
 are contemplating beefing up or expanding their current provisions.

Open Issue = “Shoulder-Surfing”

Banning forced disclosure of logins/passwords has been the thrust of the pertinent statutes so far.   Thus, some of the enacted and pending bills have been silent as to the related practice of “shoulder-surfing” — namely, having an interviewee log into, e.g., her/his Facebook while the interviewer stands or sits behind the prospect so as to see all the private content to which the applicant is instructed to surf.

At first blush, conceptually shoulder-surfing seems quite similar to login/password access.  But maybe there are differences, such as that the element of surprise might not allow an applicant the chance to “clean up” his or her social-media possts and friends/followers lists.  And maybe, some ban exceptions should exist in certain public sector situations.

Apparently, cities and counties  like to be able to try to sniff out whether prospective cops have relatives or friends who are gang members.  On the other hand, government action intruding into individual privacy is a constitutional law concern for public agency employers.

As to the various sides and aspects of the shoulder-surfing issue, see generally: Bob Sullivan, Govt. Agencies, colleges demand applicants’ Facebook passwords, NBC News (Mar. 6, 2012).  And the above-linked Gordon/Hwang piece sheds some light on which of the first 12 password-bans bans ostensibly did and did not address in-person shoulder-surfing — and on some do’s and don’ts (mostly don’ts).

The Future?

Stay tuned for developments in this area, as one state after another takes the plunge.

The Landscape of Electronic Workplace (eWorkplace)  Technology Acceptable Use Policies

Every U.S. private and public sector employer should develop, maintain and enforce an effective, appropriate workplace technology-acceptable-use policy (“TAUP”).   In large part, a TAUP is a no-expectation-of-employee-privacy (“NoEEP”) policy.  Thus, to strive for maximum defensibility, every employer should keep up on two key tasks.  First, it should have a coherently written acceptable-use policy adapted to modern technologies.  Second, it should train – and periodically remind/re-train – its managers of the do’s and don’ts of consistent, appropriate enforcement.

The U.S. Supreme Court decision in City of Ontario v. Quon, 130 S. Ct. 2619 (June 17, 2010) culminated a long, cautionary tale with many lessons.  The key Quon defendant (a public sector employer) ultimately succeeded in fending off a Fourth Amendment challenge to enforcement of its acceptable-use policy when it reviewed the contents of a police officer’s text messages (to his wife and his mistress) sent on a city-issued pager.    

Yet the years of litigation could have been avoided if the employer, the city of Ontario, had been more disciplined in its  written policy maintenance and less reckless in its policy-enforcement approach.

For a full discussion of the legal reasoning of the U.S. Supreme Court in Quon, see Brownstone eWorkplace Materials II, at 20-24 (.pdf pp. 25-29).  For employees, Quon’s enduring lessons are: be mindful of what one commits to writing; and do one’s best to erect a divide between one’s personal and work-related communications.  For employers — both in the public and private sectors — please read on below for my TopTen post-Quon Taup tips.

Top Ten TAUP Takeaways  

10. Have a clear, bold, highlighted written provision covering – at least as to U.S. employees (EU countries’ privacy laws are much more employee-friendly) – NoEEP as to all information created, stored, received or transmitted on or by any system or device provided by the employer.

9.   Decide whether to extend the NoEEP to all devices supported by (e.g., Outlook access) or costs–reimbursed  by the employer [are you OK with BYOD?]; and then make the scope clear: a) in the written policy; b) to all supervisors/managers; and c) to all staff.

8.   Specify all employer rights, including to: monitor; search; access; inspect; and read.

7.   Give clear written notice to all employees and covered third parties allowed access to employer systems/networks.

6.   Be realistic as to “personal use” – strongly consider a “limited” or “incidental” exception, but with carve-outs for certain activities: violating the law or any other employer policy; interfering with the employee’s job performance; or aiming for personal pecuniary gain to the detriment of the employer.

5.  Train new employees – and periodically retrain experienced ones – on key TAUP provisions, especially as to NoEEPP.

4.  Train supervisors/managers on consistent, fair enforcement.

3.  In the trenches, do not overreach as to: an employee’s own attorney-client privilege; or the illicit obtainment – let alone use – of an employee’s personal login/password.

2. Provide an annual concise reminder summarizing key TAUP provisions, including employees’ right to discuss employment conditions.

1. Periodically – every two or three years? – review (and revise?) the TAUP so it’s: consistent with actual practices; and up-to-date as to current technology, e.g., smartphones, social media and “The Cloud”.

The “e”     Big Picture    

Always remember the Three E’s of compliance: Establish, Educate and Enforce as propounded by Nancy Flynn of the ePolicy Institute <@ePolicyInstitut>.  First, policy goals must be established.  Second, once the policies are written, employees must be educated on the content.  And, third, only then, should technology be used as one enforcement/ implementation mechanism – not as a magic-bullet.

This post is based in part on “A Wake-up Call for 21st Century Employers“, Daily Journal (Sep.  29, 2010), which I co-authored with my colleague Sheeva Ghassemi-Vanni <@EmpLawSJGV>.