Oklahoma to Prohibit Employer Access to Private Social Media
On November 1, 2014, Oklahoma will join a number of other jurisdictions that prohibit employers from gaining access to passwords to employee or applicant social media accounts or from viewing non-public information maintained on such an account. Many states have these laws to override employer policies that required employees and applicants to provide passwords to personal social media accounts or to otherwise give employers access to content of these accounts. Oklahoma’s statute will cover employers that pay at least one individual with a salary or wages, or contract or subcontract with the state (or its agencies) to furnish material or perform work.
Under the new law, an employer may not require an employee or applicant to disclose a user name and password or other means of authentication (“authentication information”) for accessing a personal online social media account through an electronic communications device. Nor may an employer access an employee or applicant’s personal online social media account in a manner that allows the employer to observe contents of the account otherwise shielded from the general public, unless the access is pursuant to an investigation permitted under the new law.
The new law will also prohibit an employer from taking adverse employment action against an employee or applicant for refusing to provide authentication information to his or her personal online social media account. The law will permit employers to:
- request or require an employee to disclose authentication information for the purpose of accessing any computer system, information technology network, or electronic communications device provided or subsidized by the employer; or any accounts or services provided by the employer or by virtue of the employee’s employment relationship, or that the employee uses for business purposes;
- conduct an investigation based on the receipt of specific information about activity on a personal online social media account or service by an employee or other source to ensure compliance with applicable laws, regulatory requirements or prohibitions against work-related employee misconduct, or concerning the unauthorized transfer of an employer’s proprietary, confidential, or financial information;
- comply with state or federal statutes, rules or regulations, case law, or rules of self-regulatory organizations;
- access the employer’s computer system or information technology network, including electronic communications devices owned by the employer; and
- review or access personal online social media accounts that an employee chooses to use while utilizing an employer’s computer system, information technology network or electronic communications device;
If an employer inadvertently obtains authentication information by virtue of its access to employer-provided devices, it is not liable for possessing that information. However, the employer still may not use the information to access the account.
Under the new law, an aggrieved individual may bring a civil action for injunctive relief and damages not exceeding five hundred dollars per violation. Under the statute, punitive or emotional damages are not available. A violation of the new law may not be the basis for a public policy tort (which Oklahoma recognizes in other instances where an employer’s termination of an employee is in violation of a public policy of the state as set forth in a statute, constitutional provision or common law principle of law). Any suit must be brought within six (6) months of an alleged violation.
Obviously, employers who currently ask for private social media passwords or access should amend their policies to prohibit these practices, except as allowed by the statute. Employers should also review their general policies concerning social media, as well as policies concerning investigatory procedures as they may implicate social media. Employers should also make clear to employees and applicants that the employer owns all rights with respect to employer-provided or paid-for devices, that no privacy rights exist as to such employer-provided or paid-for devices, and that access and monitoring can and will occur to the extent allowed by law.