Here's how to go about protecting employee passwords the right wayBy http://profile.typepad.com/1237764140s22740 // January 17, 2013 in Legislation & Public Policy, Password Protection Laws, Social Media
The takeaway from our project to grade legislative definitions of social media may be this: legislatures, don't do it.
You'll get it wrong, you'll define a set of services that may be gone tomorrow, and you'll miss addressing the broader problem.
If you're going to legislate to protect employee internet behavior from overreaching employers, don't get distracted by narrowly defining the genus that would contain Facebook.
It's no accident that the internet lawyers grading the work of California, Delaware,Illinois, Maryland, Michigan and New Jersey prefer Maryland's statute. Maryland chose to avoid defining "social media" or "social networking site." Instead, the Maryland statute focuses on whether the circumstance at hand involves a user name or password, and leaves vague the nature of the account or service to which the user name or password relates.
Pulling the project's critique into sharpest focus is an alternative definition proposed by one of our graders, Kyle Hulten:
“'Personal Internet account' means any personal account for a password protected Internet based service."
Kyle explains his definition this way:
"[I]t’s simple to understand and it’s appropriately broad. I understand there may be some whom are uncomfortable with the ambiguity in the definition of 'personal account' but that’s language I trust a judge can interpret."
The comments of another of our graders, Venkat Balasubramani, contains additional advice to legislatures. It's great stuff, and if you follow how Venkat keeps up on the Technology & Marketing Law Blog with the subject of ownership of social media accounts, you'll know his view is informed by a close reading of all the recent cases on the subject:
"One thing drafters should worry about is whether these laws may unintentionally prevent the employer from trying to get access to mixed accounts (used for both business and personal) that were created or accessed by the employee after the employment relationship commenced. The few 'ownership' disputes over social media accounts that we've seen (along with personal experience) indicate that accounts are typically mixed — there's no clear factual answer of whether the account properly belongs to either the employer or the employee. I think a carveout that somehow makes clear that these statutes are not intended to alter ownership rules would be useful or something to consider."
That's not all. Venkat thinks that legislatures might do well to anticipate mischief resulting from (mis)use of Klout-like services:
" . . .I would consider whether 'social media credit checks' are covered by the statute. If a service aggregates publicly available data and makes certain judgments about you, should this information be off-limits to employers?"
Like Kyle, Venkat also offered thoughts on how to approach drafting legislation in this area:
"I would go with something pretty minimalist. 'A social media account is any network-based service that allows you to post or transmit content that's tied to a profile.' Then maybe box this in with private or public accounts. My qualm with most the of the definitions is that they try to get too granular and in doing this don't account for changes or new services. Also, they don't really do a good job of getting into the private vs. public distinction, which is really the most important thing."
Finally, I want to quote at length the comments of Doug Cornelius, publisher of Compliance Building, which came in after the Tuesday post went to press. Doug says there is a business solution to the problem that may obviate the need for legislatures to intervene:
"I applaud the legislative efforts, although I think they are using lots of energy when there are bigger problems. The problem should be addressed by the social media platforms. Not only should they fix the problem, they can probably turn it into a revenue source.
"In the financial services industry, there are regulatory requirements to monitor employees’ interactions with customers. That’s easy to do with platforms controlled by the firm, like email, but difficult with the ever-changing platforms in social media. The solution. The social media platform should allow a company to monitor an employee’s account provided the company pays a monitoring fee. Of course the employee will need to consent to the monitoring. The platform gets a revenue stream and the company gets the monitoring and record-keeping it needs. The employee ends up with 'big brother' but only if the company thinks it’s a big enough problem that it is willing to pay the monitoring fee."
By the way, Doug graded the six legislative efforts, too, and his ranking pretty much matched that of Tuesday's group. Which state do you suppose ranked best with Doug? You guessed it:
"Of the six, I find Maryland’s to be the best. It does not limit its scope to social media. Maryland just uses the term 'personal account or service' but does not try to define it."
My thanks again to Venkat Balasubramani, Jeremy Freeland, Jay Gairson, Kyle Hulten and Danan Margason for their work, insight and sense of fun in tackling this project. Thanks to Doug, too, for getting into the spirit and for the terrific contribution.
All of us, I noticed Tuesday and I notice again today, happen to be male. I do want it to be known that several lawyers I asked to participate are female; I guess they didn't have the inclination or else the time to participate.
Picture of Maryland State Senate by Mark Peters / Flickr.