Employee Privacy in Social Networks | Poor Draftsmanship in Illinois

Some state legislatures are passing laws to restrict the ability of employers to see the social network pages of employees.

The Illinois Legislature passed House Bill (HB) 3782, amending the state’s Right to Privacy in the Workplace Act. I hear the governor is expected to sign HB 3782 into law, but I have not seen confirmation of that.

HB 3782 confuses me.

A Confusing Chain of Verbs

HB 3782 contains the following long sentence:

“It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.”

Notice how many times the sentence uses the word “to” followed by a verb. When I get to the words “or to demand access . . . ,” I’m not exactly sure how that last part of the sentence connects with the preceding words in the sentence. But I guess that the legislature meant: “It shall be unlawful for any employer . . . to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.” (What do you think, dear reader?)

Theft Scenario

I understand the legislature’s desire to protect employee privacy relative to matters that do not relate to employment. But the legislature’s words seem to go farther than that desire. Imagine the following scenario:

Social Circles

The employees are executives of the employer, and they have signed agreements not to abuse the employer’s intellectual property and business opportunities. They set up among themselves a closed Google Plus circle, that is, a social network account or profile protected by HB 3782. The purpose of the circle is to hatch an elaborate, interactive scheme – with formulas, spreadsheets, custom apps and inter-operating parts and software -- to create a business that competes with the employer. The scheme subtly steals the employer’s intellectual property and business opportunities.

If the employer sues the executives for theft, it might be hampered in its ability to get justified access to the evidence. Under the rules of civil discovery in litigation, the employer would normally demand disclosure of the evidence in the Google Plus circle. But the executives would stymie the employer by citing the precise words of HB 3782. The employer may not “demand access in any manner”!

Construing the Words Narrowly Still Impedes the Employer

Ok. Maybe I’m misinterpreting the words of HB 3782 because I am reading them too literally, and I am forgetting that the spirit of HB 3782 is just to protect privacy of weak employees, not to enable powerful executives to steal.

Maybe a court would understand the true spirit of HB 3782 and construe it narrowly to mean this: Although the employer cannot be given direct access to the Google Plus circle, it can demand under the rules of e-discovery in civil procedure individual relevant records – one-by-one – from the Google Plus circle.

However, this interpretation could still thwart the employer’s justified need to see the Google Plus circle. The theft is subtle, elaborate and interactive. It may become apparent only when the Google Plus circle is accessed in its fullness, and one tests all of its functionality, interactivity and interconnectedness. If the employer cannot force the executives to disclose the whole scheme, as it operates inside the Google circle, the employer may not obtain the evidence necessary to convince a judge and jury that theft had occurred.

Conclusion

HB 3782 is poorly drafted and could make it unjustifiably difficult for an employer to investigate theft and other wrongdoing by employees.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law

Employee Privacy in Social Networks | Poor Draftsmanship in Illinois

No comments:

Post a Comment

SANS Quote

How to Get Electronic Evidence

Government Agency & School Records