<b><i>Online Extra</b></i> Social Media Privacy Laws and the Financial Industry

Social Media Privacy Laws

To date, 13 states have enacted laws that prohibit employers from requesting job applicants' and/or employees' passwords to their social media accounts. These bills attracted broad, bipartisan support. Thirty-six additional states have introduced similar legislation, or have legislation pending.

[IMGCAP(1)]

Federal legislation is also pending. The Social Networking Online Protection Act, introduced by Representative Eliot Engel (D-NY), calls for a nationwide ban on the practice of requesting access to employees' and applicants' personal accounts. Additionally, the Password Protection Act, introduced by Representative Ed Perlmutter (D-CO), would 'prohibit employers from taking adverse actions against employees for refusing to disclose such passwords and [make] employees ' eligible to receive compensatory damages and injunctive relief' in case of violations.

Several State Laws Conflict with FINRA and SEC Regulations

Many employers have no issue creating a policy that prevents employers from requesting applicants' or employees' social media passwords. 'Do not ask' policies comply with states' recently enacted social media laws and help protect employers from discrimination lawsuits.

Employers in the financial industry, however, have legitimate business reasons for viewing employees' private websites. This is where problems with states' password protection laws can arise.

The Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have made it clear that companies these agencies regulate need to monitor employees' social media accounts to maintain security. FINRA's rules state that securities firms must 'adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised.' FINRA's regulations apply regardless of whether the use of social media is 'conducted from a device owned by the firm or by the associated person.' FINRA Regulatory Notice, 11-39 (August 2011).'

Investment advisers and broker-dealers also have record-keeping requirements, which demand that employers record certain communications made through social media sites. Thus, several investment firms require employees to disclose personal social media usage and their login information. Access to broker-dealers' passwords enables employers to monitor and maintain records and follow up on misuse of social media.

Federal laws demand more supervision of investment advisers than permitted by states' recently enacted social media laws. As a result, employers of financial advisers may unwittingly violate states' password protection laws while following FINRA and SEC compliance regulations. Alternatively, if employers elect to follow state laws that prohibit requesting employees' social media passwords, they may be slapped with fines from FINRA and/or the SEC.

What Employers of Financial Advisors Should Expect

There is a solution to resolve the conflict between states' social media laws and federal compliance regulations of the financial service industry. Legislators can carve out an exception in state laws permitting employers in the finance industry to monitor employees' social media accounts. Creating this exception would allow financial institutions to follow other requirements of the state's social media laws, while abiding by SEC and FINRA regulations.

In the rush to rally bipartisan support around a seemingly uncontroversial subject, many states appear to have missed this conflict with FINRA and SEC requirements. Some states, however, have begun to take notice. Illinois, for example, recently amended its password protection law, which now permits employers to screen applicants' or employees' websites where the information sought relates to a professional account used by the employee for a business purpose. Additionally, Illinois employers may now monitor or retain employee communication as required by FINRA and the SEC.

While several other states' password protection laws include narrow exceptions, other states' laws fail to provide these carve-outs. The states that provide exceptions generally permit employers who are complying with state and federal laws, regulations, and rules to request applicants' and employees' login information, even if they do not explicitly refer to FINRA or SEC requirements. As of this writing, the following states with legislation on the books do not recognize that certain employers have both legal and legitimate business obligations to consistently monitor personal social media use: California, Michigan, New Jersey, Utah, and Vermont.

If a state's password protection law is challenged in federal court, a court will likely find that federal securities laws approved by the SEC preempt conflicting state law. No court, however, has yet addressed the conflict between state social media statutes and federal securities laws.

Employers, attorneys, and legislators are still flushing out these issues. Stay tuned.

Lily Strumwasser'is an attorney in the Chicago office of Seyfarth Shaw in the area of labor and employment law. She publishes regularly on a variety of employment and litigation topics, including social media compliance issues, focusing on best practices to avoid litigation and develop internal compliance initiatives. She can be reached at'[email protected].'

More than one billion people worldwide have registered accounts with Facebook. People display personal information, pictures, and videos for friends, family, and even strangers to view. Many employers use publicly available Facebook pages, Twitter feeds, and other social media outlets as screening tools for job applicants. And they may also use them as a way to monitor employees. After all, a picture is worth a thousand words.

A handful of employers, however, have pushed their due diligence even further than standard Internet searches. For example in 2006, Fox News reported that a sheriff's office in McLean County, IL, asked a job applicant to sign into his social media account during an interview. In 2009, ABC News reported that the city offices of Bozeman, MT, required all applicants to provide their login information to social media websites. More recently in 2012, the Associated Press ran a story about an employer who asked an applicant to turn over his social media password during an interview.

These stories generated countless headlines, and the media attention triggered responses from employers, lawyers, and legislators across the nation. Despite the relentless attention the public has given the topic, reported instances of employers that have requested such information can be counted on two hands.

Social Media Privacy Laws

To date, 13 states have enacted laws that prohibit employers from requesting job applicants' and/or employees' passwords to their social media accounts. These bills attracted broad, bipartisan support. Thirty-six additional states have introduced similar legislation, or have legislation pending.

[IMGCAP(1)]

Federal legislation is also pending. The Social Networking Online Protection Act, introduced by Representative Eliot Engel (D-NY), calls for a nationwide ban on the practice of requesting access to employees' and applicants' personal accounts. Additionally, the Password Protection Act, introduced by Representative Ed Perlmutter (D-CO), would 'prohibit employers from taking adverse actions against employees for refusing to disclose such passwords and [make] employees ' eligible to receive compensatory damages and injunctive relief' in case of violations.

Several State Laws Conflict with FINRA and SEC Regulations

Many employers have no issue creating a policy that prevents employers from requesting applicants' or employees' social media passwords. 'Do not ask' policies comply with states' recently enacted social media laws and help protect employers from discrimination lawsuits.

Employers in the financial industry, however, have legitimate business reasons for viewing employees' private websites. This is where problems with states' password protection laws can arise.

The Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) have made it clear that companies these agencies regulate need to monitor employees' social media accounts to maintain security. FINRA's rules state that securities firms must 'adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised.' FINRA's regulations apply regardless of whether the use of social media is 'conducted from a device owned by the firm or by the associated person.' FINRA Regulatory Notice, 11-39 (August 2011).'

Investment advisers and broker-dealers also have record-keeping requirements, which demand that employers record certain communications made through social media sites. Thus, several investment firms require employees to disclose personal social media usage and their login information. Access to broker-dealers' passwords enables employers to monitor and maintain records and follow up on misuse of social media.

Federal laws demand more supervision of investment advisers than permitted by states' recently enacted social media laws. As a result, employers of financial advisers may unwittingly violate states' password protection laws while following FINRA and SEC compliance regulations. Alternatively, if employers elect to follow state laws that prohibit requesting employees' social media passwords, they may be slapped with fines from FINRA and/or the SEC.

What Employers of Financial Advisors Should Expect

There is a solution to resolve the conflict between states' social media laws and federal compliance regulations of the financial service industry. Legislators can carve out an exception in state laws permitting employers in the finance industry to monitor employees' social media accounts. Creating this exception would allow financial institutions to follow other requirements of the state's social media laws, while abiding by SEC and FINRA regulations.

In the rush to rally bipartisan support around a seemingly uncontroversial subject, many states appear to have missed this conflict with FINRA and SEC requirements. Some states, however, have begun to take notice. Illinois, for example, recently amended its password protection law, which now permits employers to screen applicants' or employees' websites where the information sought relates to a professional account used by the employee for a business purpose. Additionally, Illinois employers may now monitor or retain employee communication as required by FINRA and the SEC.

While several other states' password protection laws include narrow exceptions, other states' laws fail to provide these carve-outs. The states that provide exceptions generally permit employers who are complying with state and federal laws, regulations, and rules to request applicants' and employees' login information, even if they do not explicitly refer to FINRA or SEC requirements. As of this writing, the following states with legislation on the books do not recognize that certain employers have both legal and legitimate business obligations to consistently monitor personal social media use: California, Michigan, New Jersey, Utah, and Vermont.

If a state's password protection law is challenged in federal court, a court will likely find that federal securities laws approved by the SEC preempt conflicting state law. No court, however, has yet addressed the conflict between state social media statutes and federal securities laws.

Employers, attorneys, and legislators are still flushing out these issues. Stay tuned.

Lily Strumwasser'is an attorney in the Chicago office of Seyfarth Shaw in the area of labor and employment law. She publishes regularly on a variety of employment and litigation topics, including social media compliance issues, focusing on best practices to avoid litigation and develop internal compliance initiatives. She can be reached at'[email protected].'