Eric Parzianello on the Internet Privacy Protection Act
By Steve Thorpe
Legislation signed on Dec. 28, 2012, by Gov. Rick Snyder will impose criminal and civil penalties on employers who request that an employee or applicant for employment permit access to or allow observation of that person’s “personal Internet account.” These personal Internet accounts include social media sites like Facebook and Twitter. The “Internet Privacy Protection Act” (“IPPA”) will also apply to educational institutions and would prohibit schools from requesting access to the accounts as part of their admission process. Eric Parzianello is a partner at Hubbard Snitchler & Parzianello PLC in Detroit where his practice is concentrated in employment law and commercial litigation at both the trial and appellate levels. He has argued appellate cases in the Michigan Supreme Court, the Michigan Court of Appeals as well as the United States Courts of Appeals for the Sixth and Seventh Circuits.
Thorpe: What problem does this new law address?
Parzianello: Increasing numbers of Americans use social media, both on and off the job. Recently, some employers have asked employees to turn over their username or passwords for their personal accounts. Some employers argue that access to personal accounts is needed to protect proprietary information or trade secrets and to prevent the employer from being exposed to legal liabilities. But others consider requiring access to personal accounts an invasion of employee privacy. State legislators across the country began introducing legislation in 2012 to prevent employers from requesting passwords to personal Internet accounts in order to get or keep a job. Some states have similar legislation to protect students from having to grant access to their social networking accounts.
Michigan’s IPPA addresses the oxymoron of “Internet privacy.” The perceived problem is that some people want to be able to express themselves in a very public forum such as the Internet.
However, people generally do not want negative consequences to arise from such expressions especially where they have made attempts to limit the audience for their postings, such as to “Facebook friends” only. On the other hand, some employers want to be able to make hiring and firing decisions based on how their employees or prospective employees’ actions may reflect upon their company. These actions are often based on an employee’s character, which may well be reflected on-line and could affect the employer’s business.
The IPPA attempts to strike a balance between those competing concerns. The law attempts to restrict an employer from requiring an employee or job applicant to provide access to their personal Internet accounts such as on Facebook or Twitter. It also restricts the employer from firing or refusing to hire someone for failing to comply with such a request. There is a “carve-out” of situations where an employer could permissibly access an employee’s personal Internet account.
Thorpe: The IPPA was passed unanimously by state lawmakers. Why such strong support?
Parzianello: The strong legislative support was likely a result of the legislators’ beliefs that sufficient balances were struck in the language of the proposed act between the competing interests of employers and employees. From the employees’ viewpoint, they remain free to have a password-protected account with access restrictions without fear that their employer or prospective employer will require them to divulge personal information unrelated to their job. The IPPA has some “teeth” by imposing criminal and civil penalties in the event of violations.
From the employer’s side, there remain some means to still access personal Internet accounts where reasonably necessary. These means include viewing information that is publicly available and accessing information on an electronic device if it is paid for by the employer. Also, access to personal Internet accounts may be permissible if an employer has information about employment related misconduct and wishes to make further investigation by reviewing the employee’s personal accounts. Additionally, if specific information exists about an employee’s unauthorized transfer of the employer’s confidential information, the employer may request and obtain access to the employee’s Internet accounts.
Thorpe: How can organizations protect themselves from running afoul of the new restrictions?
Parzianello: First, training of all supervisory personnel is critical. This law together with many others subjects employers to liability for statements made to and questions asked of employees and job applicants.
Next, for existing employees, employers should have written policies relating to the use of electronic devices, such as iPhones, and computers that have been supplied by the employer for the employee’s use. These policies should include:
• a definition of the electronic devices covered by the policy;
• a provision as to whether and to what extent an employee is permitted to use employer-supplied devices for personal use; and
• a provision informing employees that the employer may access employer-supplied devices.
Last, there is no civil limitations period in the IPPA. Employers may want to attempt to shorten the limitations period for bringing a claim under the IPPA through provisions in their job applications and employment agreements.
Thorpe: The legislation will also apply to educational institutions. How might it affect them?
Parzianello: The application of the law to educational institutions will most likely affect school administrators in disciplinary matters and college admissions departments in making decisions on applications. Educational institutions are prohibited from requesting students or prospective students to grant access to or allow observation of the student’s personal Internet account. They also cannot discipline a student or fail to admit a prospective student for any failure to permit access to or observation of the student’s personal Internet account.
There are no exceptions to the prohibitions for schools in the event administrators learn of threatening or inappropriate postings by current students. In such cases, administrators would best be served by making reports to police or other appropriate officials.
For colleges, admissions departments cannot seek access for the purpose of making admission decisions. While that practice does not seem to be commonly used, this law eliminates it altogether.
Thorpe: What flaws do you see in the IPPA?
Parzianello: First, there is no civil statute of limitations in the IPPA. The criminal portion of the act would fall under the general six-year limitations period for misdemeanors.
Additionally, although there is not a strong likelihood that a prosecutor will prosecute such claims except in unusual situations, criminal penalties seem to be excessive in the event of violations. Other states that have enacted similar laws have not made violations a criminal act.
Next, there is no prevailing party provision that would shift fees to an unsuccessful plaintiff. An individual who alleges a violation could bring a lawsuit and recover up to $1,000 in damages plus reasonable attorney fees and court costs after the person makes a written demand on the employer for payment. An employer who receives such a demand will need to make a financial decision about whether to simply pay the demand or engage counsel to defend a district court action that may lack merit.
Thorpe: How do you see this issue evolving in Michigan?
Parzianello: To begin, to the extent employers and schools were ever engaged in the practice of requesting access to private Internet accounts, that practice should immediately cease for those who are trained in the act’s provisions. For businesses, it provides an opportunity to review human resource policies and procedures on all matters relating to current personnel and job applicants.
That may help reduce their exposure to employment-based claims.
Reducing ultimate exposure, however, does not necessarily mean reducing the number of employment-based claims. This act has the potential of spawning frivolous litigation from job applicants who are denied employment.
For individuals who are not well versed in social media, the IPPA may tend to provide a false sense of security that employers cannot access anything they post. To the contrary, there are enough exceptions in the act and enough ways to access social media that still provide employers a mechanism to view and act upon their employees’ posts.