California – Gone Too Far Again
Lead Analyst: Cal Braunstein
California Governor Jerry Brown signed into laws Assembly Bill (AB) 1844, which restricts employers' access to employees' social media accounts, and Senate Bill (SB) 1349, which restricts schools' access to students' social media accounts. Due to the overbroad nature of the laws and the definition of social media, enterprises and schools may have difficulty complying while performing their fiduciary responsibilities.
Focal Points:
- Although both laws expressly claim they are only regulating "social media," the definitions used in the laws goes well beyond true social media over the Internet. The statutes use the following definition: "social media" means an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations. In effect, the law governs all digital content and activity – whether it is over the Internet and/or stored in local storage devices on in-house systems.
- Additionally, AB 1844, which covers employer-employee relationships, restricts employers' access to "personal social media" while allowing business-related access. However, the law does not define what comprises business or personal social media. It assumes that these classifications are mutually exclusive, which is not always the case. There have been multiple lawsuits over the years that have resulted from disagreements between the parties as to the classification of certain emails, files, and other social media.
- Many organizations inform employees that email and social media activity performed while using the organization's computer systems is open to access and review by the company. Furthermore, some entities have employees sign an annual agreement to such rights. However, the law makes it illegal for employers to ask for login credentials to "personal" accounts and the statute does not allow access to mixed accounts, which supposedly do not exist.
RFG POV: The new California statutes are reminiscent of CA Senate Bill 1386 (SB 1386), which requires any state agency or entity that holds personal information of customers living in the state to divulge any infringement of databases that include personal information, regardless of the business' geographic location. The new laws do more harm than good and allow potential class action civil suits in addition to individual suits. This will make it more difficult for organizations to protect the entity, its image, enterprise data and client/student relationships, and ensure appropriate conduct guidelines and privacy requirements are being met. In addition, the ambiguities in the wording of the laws leave them open to interpretation, which in turn will eventually lead to lawsuits. Business and IT executives can expect these new laws to extend beyond the borders of the state of California, as did SB 1386. IT executives should review the legislation, discuss with legal advisors all elements of the laws, including the definitions, and explore ways to be proactive with their governance, guidelines and processes to prevent worst case scenarios from occurring.