A Publication of Pepper Hamilton LLP
Be Careful What You Ask For: Michigan Limits Employer Access to Personal Social Media
Tuesday, February 12, 2013
Michigan’s Internet Privacy Protection Act (IPPA) prohibits employers from gaining access to applicant and employee personal Internet accounts. When the IPPA became effective on December 28, 2012, Michigan joined Maryland, whose law took effect on October 1, 2012, and California and Illinois, whose laws became effective January 1, 2013. Similar statutes have been introduced in ten other states, including Pennsylvania and New York. California, Delaware, Michigan and New Jersey already have laws applying to academic institutions. A common objective of these laws is prohibiting employers from requiring applicants or employees to disclose username or passwords or otherwise accessing personal social media, such as LinkedIn, Facebook and Twitter. Employers are prohibited from failing to hire, disciplining, or discharging, or otherwise penalizing an applicant or employee who declines an employer’s request to provide access to his or her social media accounts. Violations of Michigan’s IPAA are considered a misdemeanor punishable by a fine of not more than $1,000. Aggrieved individuals may also bring a civil action to enjoin the violation and may recover up to $1,000 in damages plus reasonable attorney fees and court costs.
While the language of the statutes may differ slightly, the laws generally afford employers the right to request and require an employee to disclose information to access:
- an electronic communications device paid for by the employer, and
- an account or service provided by the employer, obtained by virtue of the employee’s employment relationship with the employer, or used for the employer’s business purposes.
Moreover, employers may conduct an investigation or require an employee to participate in an investigation:
- if there is specific information about activity on the employee’s personal Internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct, or
- if the employer has specific information about an unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to an employee’s personal Internet account.
Based on such investigations, employers are permitted to discipline or discharge an employee for transferring the employer’s proprietary or confidential information or financial data to an employee’s personal Internet account without the employer’s authorization.
Michigan employers are not prohibited from:
- restricting access to certain Web sites while using an electronic communications device paid for by the employer or while using an employer’s network or resources, in accordance with state and federal law;
- monitoring electronic data stored on an electronic communications device paid for by the employer, or traveling through or stored on an employer’s network, in accordance with state and federal law;
- complying with a duty to screen employees or applicants prior to hiring or to monitor employee communications established under federal law or by a self-regulatory organization as defined in the Securities and Exchange Act of 1934; and
- accessing information about an employee or applicant that can be obtained without any required access information or that is available in the public domain.
Unlike any other state’s social media laws, the IPPA expressly states that it does not create a duty for an employer to search or monitor the activity on a personal Internet account. Thus, individuals who may be injured by violent employees, for example, cannot assert negligent conduct by an employer solely because the employer failed to request or require that an employee or applicant disclose information that would allow access to a personal Internet account containing information of possible criminal or violent activities or inclinations.
Courts balance the privacy interests of individuals using social media sites with the legitimate interests of employers in protecting their proprietary and confidential information. Employers would be well advised, if they have not yet done so, to create social media and Internet policies that explain the rights of employers to monitor employees’ activity in social media.
Contact either of the authors or any member of Pepper’s Labor and Employment Practice Group for assistance in designing such social media and Internet policies.
Robert C. Ludolph and Adam Wolfe
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.
View the PDF version