BYOD Policy Part 5 | Ownership of Social Media Content & Account

State legislatures are enacting employee social media privacy laws fast and furious.

In their wake, they leave confusion.  To address the confusion, this post offers sample employment policy language.

Many States, Many Standards

California Assembly Bill 1844 says an employer may not require an employee to “Disclose a username or password for the purpose of accessing personal social media.”

AB 1844 broadly defines “social media” as “electronic content,” including but not limited to email, video and so on.  It also broadly defines “social media” as “an electronic service or account.”  So, under AB 1844, social media means much more than Facebook and Twitter.

Non-Uniformity of Law

California is just one state.  Other states like Illinois and Maryland have enacted legislation on roughly similar topics, but each state uses different words and standards.

This proliferation of non-uniform laws makes it difficult for an employer to craft policy.  Many employers have employees who are mobile, spread geographically and operating on the Internet, where jurisdiction is overlapping and confused.  Does California law apply?  Or is it Illinois law, or Maryland law?  What’s more, any policy you write today could tomorrow run afoul of new legislation enacted in Maine, or Alberta . . . or Japan.

Holding Employers Accountable

Law generally expects an employer to supervise or be accountable for what an employee is doing – within the scope of his employment -- whether the employee is doing it by way of an automobile, the postal service, face-to-face communications, or “social media” like email, video, text messages and online accounts.

For example, if an employee, like an executive, uses email, video or Facebook to represent himself as an agent of the employer, the employer could be held accountable for the contracts formed through this media.  Further, the employer could need access to the executive’s social media records to show compliance with regulations, or just to know (for purposes of internal control) what the executive told a subordinate to do.

Dividing Personal Media and Work Media?

California’s Senate Bill 1349 protects “personal social media”; the implication is that it does not protect media used for “work” or “business.”

But it is easy for personal media and work media to get mixed up.  It is common, for example, for an employee to use a Gmail account for both personal communications and business communications.

How should the employer and employee divide these two kinds of media when they are mixed?  The legislature does not explain.

Lawsuits Over Ownership and Control

Employers and employees have fought in court over who owns a social media account.  Linda Eagle argued unsuccessfully in federal court that her former employer, Edcomm, violated the federal Computer Fraud and Abuse Act when it locked her out of a LinkedIn account that she had started and had used partially for her own purposes.  The court sided with the employer, noting that Ms. Eagle had shared log-on credentials with other Edcomm employees and had transacted some business through the account on behalf of Edcomm.

How to Write BYOD Policy?

This blog features a series of posts on how to write policy for “bring your own device” (BYOD).  The series recognizes that the BYOD topic covers more than just “devices”; it also covers service accounts like Gmail and LinkedIn.  In other words, the series covers what California AB 1844 defines as “social media.”

The series views BYOD “policy” between employer and employee as embracing more than just policy.  It offers language for a contract between the employer and employee.

What do you think of the following sample BYOD clause?

If an employee makes any substantial use of a Service for work, then the employee grants to employer the option to acquire ownership (all of the employee’s right, title and interest) to the Service, at any time, for ten dollars.

This clause attempts to provide a clear resolution to the question of who owns an account when an employee uses the account for business.

Avoid Accessing Personal Content?

Suppose a California employer was to invoke the quoted BYOD policy clause, pay $10, and take control of an account.  Would the employer normally be wise to access the employee’s personal content in that account?  I’d say no.

However, the employer may need to control the account and access business-related content.  The employer might be wise to take steps (such as using a third party to search the account) to find the business content, while ignoring the personal content.

Dear Reader: What do you think of the clause I propose above?

Mr. Wright teaches the Law of Data Security and Investigations at the SANS Institute.

See other posts in this BYOD series:

Part 1
Part 2
Part 3
Part 4
How to Confiscate Phone or Other Device

No comments:

Post a Comment