On the last day of the 2016 Regular Session, the West Virginia Legislature passed a bill that will require all West Virginia employers to evaluate their social media policies and practices. HB 4364, known as the Internet Privacy Protection Act (“IPPA”), prohibits employers from forcing employees or job applicants to provide access to their personal social media accounts except in limited circumstances. The IPPA further imposes affirmative obligations on an employer that inadvertently receives an employee’s username and password for his or her social media account. The implications of the IPPA, which applies to all West Virginia employers, include potential wrongful discharge and invasion of privacy claims. Accordingly, all employers must evaluate whether their current policies and practices conform to the IPPA before it becomes effective on June 10, 2016.
 
Specifically, under the IPPA an employer may not:
 

1. Request, require or coerce an employee or a potential employee to disclose a username and password, password or any other authentication information that allows access to the employee’s or potential employee's personal account;
2. Request, require or coerce an employee or a potential employee to access their personal account in the presence of the employer; or
3. Compel an employee or potential employee to add the employer or an employment agency to their list of contacts that enable the contacts to access a personal account.

 
However, the IPPA attempts to strike a balance with employers by providing six limited exceptions when an employer may access an employee’s personal account. Employers may continue to:
 

1. Take action to ensure compliance with applicable laws, rules or regulations;
2. Access information that is publicly available;
3. Require an employee to disclose a username or password or similar authentication information for the purpose of accessing:
   1. An employer-issued electronic device; or
   2. An account or service provided by the employer, obtained by virtue of the employee’s employment relationship with employer, or used for the employer’s business purposes;
4. Require an employee to cooperate in an investigation by requiring the employee to share content on the employee’s personal account that has been reported to have been transferred without the employer’s permission (but only where the employer has learned of specific information of an issue and the content is the employer’s proprietary or confidential information or financial data);
5. Prohibit employee use of a personal account during work hours; or
6. Request that the employee share specific content regarding a personal account for the purpose of ensuring compliance with applicable laws, regulations or prohibitions against work-related employee misconduct.

 
Finally, the IPPA sets up vague obligations for employers that inadvertently receive an employee’s username and password for a social media account. As a general rule, the employer is not liable for obtaining that information through otherwise lawful technology that is used to monitor the employer’s network or electronic devices. However, once the employer is in possession of the information that provides access to an employee’s (or potential employee’s) personal account, the employer is liable if the employer:
 

1. Uses that information, or enables a third party to use that information, to access the employee's personal account; or
2. After the employer becomes aware that that information was received, does not delete information as soon as is reasonably practicable, unless that information is retained by the employer as part of an ongoing investigation of an actual or suspected breach of the computer, network or data security. Where an employer knows or, through reasonable efforts, should be aware that its network monitoring technology is likely inadvertently to receive such information, the employer shall make reasonable efforts to secure that information.

 
“Friending” Employees Through Social Media
 
At first glance, the IPPA appears simple enough. However, the devil is in the details. After a closer reading of the IPPA you may ask: Can I “friend” my employees? The answer is a cautious yes. While the IPPA prohibits an employer from requesting direct access to an employee’s social media accounts, it only prohibits employers from “compel[ing] employees or potential employees to add the employer or an employment agency to a list of contacts that gives the contacts access to a personal account.” In other words, an employer may send a “friend” request to an employee on Facebook or ask to follow the employee on Twitter.
 
However, this analysis exemplifies the danger of the IPPA because the line between request and compel is gray. Be wary of trying to “friend” an employee or potential employee because the simple act, coming from a supervisor, may be construed as compelling the employee or potential employee to add the employer as a condition of employment. If an employee rebuffs an employer’s “friend” request, and suffers some adverse employment action, a wrongful termination claim may result. Employers should not put themselves in a situation where they have to defend a lawsuit because they attempted to “friend” an employee on their private social media account.

Also, the affirmative obligation placed on employers regarding inadvertent disclosure of access information to personal accounts is problematic. Employers now are obligated to monitor their systems to ensure compliance with IPPA and personal account information must be deleted from the employer’s system within a reasonably practicable time period.
 
Additionally, employers must ensure that personal account information is secure if the employer’s system is likely to receive such information. Essentially, IPPA requires employers to know what they may not know they know, and then delete it. This is particularly important because the IPPA uses the word “liable” to describe the consequences of noncompliance. While the IPPA does not expressly provide a mechanism for an employee to sue for a violation of the IPPA, there is potential for facing an increased exposure to invasion of privacy or similar actions.
 
West Virginia employers would be wise to update their policies and procedures to account for IPPA. The Internet and social media are still helpful tools for employers seeking background information on an employee or potential employee, but employers must be careful how they gather that information. The message to West Virginia employers seems to be: be friendly with your employees, but do not “friend” your employees.

If you have any questions about this issue or any labor and employment issue, please contact us.