In our last article, we discussed the importance of developing privacy and cybersecurity policies to address potential risks arising from employees who use third-party file-hosting services to store company data. We thereby emphasized the reality that if you have employees with laptop computers, some proportion of them is bound to be storing company data on assets that your company does not control. In this article, we consider an inevitable corollary to that reality: Some proportion of your employees (probably a significant portion of them) are using online social media — from Facebook to Twitter to Instagram, to name a few — in ways that your company does not control.
Now, in developing privacy and cybersecurity policies to address this reality, it is important to recognize that such policies must serve not only to protect company confidences, but also to ensure that company personnel do not inadvertently violate a host of new state laws protecting employee use of social media. For example, on May 23, 2014, Louisiana Governor Bobby Jindal signed into law the Personal Online Account Privacy Protection Act. Under the Act, an employer may not “[r]equest or require an employee or applicant for employment to disclose any username, password, or other authentication information that allows access to the employee’s or applicant's personal online account.” “Personal online account” includes any online service that an employee “uses exclusively for personal communications unrelated to any business purpose of the employer.” In short, under Louisiana law, it is now generally illegal for employers to ask or require that employees hand over the passwords to their private Facebook or Twitter accounts.