Some state legislatures are passing laws to restrict the ability of employers to see the social network pages of employees.
The Illinois Legislature passed House Bill (HB) 3782, amending the state’s Right to Privacy in the Workplace Act. I hear the governor is expected to sign HB 3782 into law, but I have not seen confirmation of that.
HB 3782 confuses me.
A Confusing Chain of Verbs
HB 3782 contains the following long sentence:
“It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.”
Notice how many times the sentence uses the word “to” followed by a verb. When I get to the words “or to demand access . . . ,” I’m not exactly sure how that last part of the sentence connects with the preceding words in the sentence. But I guess that the legislature meant: “It shall be unlawful for any employer . . . to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.” (What do you think, dear reader?)
I understand the legislature’s desire to protect employee privacy relative to matters that do not relate to employment. But the legislature’s words seem to go farther than that desire. Imagine the following scenario:
If the employer sues the executives for theft, it might be hampered in its ability to get justified access to the evidence. Under the rules of civil discovery in litigation, the employer would normally demand disclosure of the evidence in the Google Plus circle. But the executives would stymie the employer by citing the precise words of HB 3782. The employer may not “demand access in any manner”!
Construing the Words Narrowly Still Impedes the Employer
Ok. Maybe I’m misinterpreting the words of HB 3782 because I am reading them too literally, and I am forgetting that the spirit of HB 3782 is just to protect privacy of weak employees, not to enable powerful executives to steal.
Maybe a court would understand the true spirit of HB 3782 and construe it narrowly to mean this: Although the employer cannot be given direct access to the Google Plus circle, it can demand under the rules of e-discovery in civil procedure individual relevant records – one-by-one – from the Google Plus circle.
However, this interpretation could still thwart the employer’s justified need to see the Google Plus circle. The theft is subtle, elaborate and interactive. It may become apparent only when the Google Plus circle is accessed in its fullness, and one tests all of its functionality, interactivity and interconnectedness. If the employer cannot force the executives to disclose the whole scheme, as it operates inside the Google circle, the employer may not obtain the evidence necessary to convince a judge and jury that theft had occurred.
HB 3782 is poorly drafted and could make it unjustifiably difficult for an employer to investigate theft and other wrongdoing by employees.
Mr. Wright teaches the law of data security and investigations at the SANS Institute.