In today’s computer-saturated culture, people from 8 to 80 have social media accounts to connect and keep in touch with family, friends, and business contacts. Many cell phones have capabilities exceeding those of the highest-powered computers of only a few years ago. Workers today use their phones, tablets, and portable computers to stay connected wherever they are, sometimes 24 hours a day, 7 days a week. Many people’s business and social lives are closely intertwined, with friends, professional colleagues, clients, and coworkers interacting regularly on the same social media accounts.
The erosion of the boundaries between work and personal life can allow employees greater freedom and flexibility, which can enhance productivity and promote loyalty and employee engagement. But it can also present serious concerns about the integrity and security of company data, trade secrets, and protected information.
Balancing Employer and Employee Rights
“Social media” is broadly defined under Oregon law as any “electronic medium that allows users to create, share and view user-generated content, including, but not limited to, uploading or downloading videos, still photographs, blogs, video blogs, podcasts, instant messages, electronic mail or Internet website profiles or locations.” The definition encompasses standard social media venues like Facebook, Twitter, LinkedIn, Pinterest and Instagram as well as websites, blogs, and any other electronic social sharing platform.
Oregon has been a pioneer in writing legislation to address social media issues as they relate to employee issues. Revisions that changed and refined the existing law became effective January 1, 2016. Under the law as it now stands, employers cannot require an employee or applicant to
- Establish and maintain a personal social media account;
- Provide a login/password (or other means of authentication) so the employer can access non-public sections of a personal social media account;
- Add the employer to the list of contacts associated with a social media website (e.g., “friend” or “connect with” the employer);
- Access a personal social media account in the presence of the employer in a manner that allows the employer to view contents that are not accessible by the public; or
- Authorize the employer to advertise on the applicant or employee’s personal social media account.
It is illegal to discharge or discipline an employee or refuse to hire an applicant for failing to do any of the foregoing.
Oregon’s protections are designed to ensure that employees are able to have their own social media spaces, outside the bounds of their employment, or choose not to have any social media presence at all. But these protections aren’t absolute – the law allows employers to gain access for legitimate reasons, including workplace investigations and compliance with subpoenas or other legal directives.
Further, it is becoming incredibly difficult to define what is outside the bounds of employment. The social media law only applies to social media accounts that are entirely personal, and which have not been provided by the employer. A “personal social media account” is defined by current Oregon law as “a social media account that is used by an employee or applicant for employment exclusively for personal purposes unrelated to any business purpose of the employer or prospective employer and that is not provided by or paid for by the employer or prospective employer.”
However, many employers now pay for employees to have enhanced access to social media sites, which could transform an employee’s personal site into one related to his or her employment such that it isn’t protected by the law. An employer can also require that employees maintain work-related social media accounts (such as a profile in an internal, company-wide social account), or handle social media business accounts.
BYOD Blurs the Line Between Work and Play
In practice, many workers now access work-related material on their own electronic devices (as well as personal material on their work-issued electronic devices). A “bring your own device” (“BYOD”) policy is the practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes. Many employees appreciate the ability to use the devices of their choice, often partially paid for by their company, and companies appreciate that employees are happy and accessible (and willing to share the cost of cutting-edge connectivity). Under BYOD policies, employees access work-related information in a variety of ways, including directly through applications (like shared projects in applications such as Evernote), through portals on the Internet, and through electronic mail services such as Outlook that can provide access to a number of email accounts and thereby commingle personal and business data.
Employers frequently access the employees’ BYOD devices for reasons ranging from installing software, performing maintenance, or troubleshooting problems to complying with subpoenas, court orders, or workplace investigations. An employer runs the risk of accessing personal and private sections of social media profiles or personal email on a BYOD that it is not legally permitted to access. The law provides an exception for employers who inadvertently gain knowledge of an employee’s access information by monitoring usage of the employer’s network or employer-provided devices. The employer is not liable unless it uses the access information to access the employee’s personal social media accounts. However, it’s not clear what happens if the employer lawfully accesses an employee’s personal phone, used as a result of a BYOD policy, and sees notifications or other automatically available information related to these private sites.
Why Does the Line Matter?
It can be extremely difficult to figure out what information on an employee’s phone is related to his work – in which his employer has rights – and what information constitutes the employee’s personal data.
Because social media makes it easier to share and disseminate information, employers must be extra vigilant if employees utilize their personal devices under a BYOD policy and also have access to trade secrets, confidential information, or regulated data. Many social media applications have automatic settings allowing access to wide swaths of data stored on a user’s device. These applications could result in data breaches, unauthorized third-party access, accidental violations of confidentiality agreements, and disclosures of trade secrets. Employees who use their own devices to access sensitive or confidential information may not be able to maintain the necessary level of data security if they also access social media on their devices. It is therefore imperative that employers hire competent IT professionals to evaluate their confidentiality needs and ensure that employees are able to comply with those confidentiality requirements under a BYOD policy.
BYOD policies make safeguarding a company’s proprietary, confidential, and client data more challenging than ever. Employers can use both policies and technology to protect the separation of their employee’s personal data and social media from the company’s trade secrets and confidential information. An unambiguous written policy that delineates the respective rights and responsibilities of the employer and the employee with regard to accessing information and maintaining security under a BYOD policy will be important should a breach or dispute arise. Such a policy can include restrictions on the types of applications and amount of access to social media that employees have on their BYOD-approved devices, and must include continuing oversight by information technology professionals to ensure that company data and intellectual property remains secure. An experienced intellectual property attorney can provide valuable assistance in the preparation of effective BYOD policies, in coordination with a company’s IT personnel and consultants.