It’s time to roundup the bills related to computer technology that the Hawai‘i legislature is considering in its 2014 regular session. Click here for a chart summarizing the proposed legislation. Here are the highlights:
Social Media and Internet Account Passwords: Several bills to prohibit improper requests for access to personal social media accounts of employees and students were introduced in the 2013 session. None of the them passed. This year, HB2415 renews the effort to outlaw improper social media password requests.
Internet Sales Tax: HB1651 would require online companies with arrangements with Hawaii merchants for referral of business to collect use taxes on sales made in Hawaii. This bill would affect online retailers like Amazon, who allows local merchants to sell their products through Amazon Marketplace.
Restrictive Covenants: In an effort to encourage the development of technology business in Hawai‘i, a state with a relatively small geographic area, two bills (HB2617 and SB3126) would prohibit technology businesses from requiring employees to enter into noncompete agreements and restrictive covenants. “Technology business” is defined as “a trade or business that relies on software development, information technology, or both.”
Cybersquatting: SB2958 would put the burden on a cybersquatter to prove that it did not register a domain name in bad faith or with intent to use it in an unlawful manner, provided that the person claiming cybersquatting can demonstrate the potential of immediate and irreparable harm through misuse of the domain name.
Cybersecurity Council: SB2474 would establish the Hawai‘i cybersecurity, economic, education, anfrastructure security council.
Mobile Devices: Three bills (HB1509, HB1896, and SB2729) would make it a State offense to use a mobile electronic device while operating a motor vehicle. Certain counties already have similar laws.
3D Printing: In response to the rising availability of 3D printers, HB1802 would make it a crime to create, possess, sell, trade, or give another person a firearm made with digital manufacturing technology.
Computer crimes: A series of bills criminalizes various kinds of computer activity, including unauthorized access to a computer or network and damage to a “critical infrastructure computer” (HB1640); theft of a computer (HB1644); or personal electronic device for storing or retrieving personal information (HB2080); and revenge porn (SB2319).
Hawai‘i has jumped on the bandwagon of states (along with 31 other states, according to the National Conference of State Legislatures) introducing legislation to ban employers from requesting access to social media accounts of job applicants. Several bills on the subject were introduced in this year’s legislative session, but the one that appears to have the best chance of becoming law is HB713 H.D. 2 S.D. 1 (HB713). The bill has passed the House and gained the approval of two Senate committees. Next up for the bill is review by the Senate Judiciary Committee. As HB713 gains traction, let’s take a look at what it says and some issues it raises in its current form.
SUMMARY OF HB713, H.D. 2
HB713 would insert a new section into the Hawai‘i statute governing discriminatory employment practices, Hawai‘i Revised Statutes (HRS) chapter 378, part I. The proposed law would apply to both job applicants and existing employees. Employers are prohibited from gaining access to a “personal account,” which is defined as:
An account, service, or profile on a social networking website that is used by an employee or potential employee exclusively for personal communications unrelated to any business purposes of the employer. This definition shall not apply to any account, service, profile, or electronic mail created, maintained, used, or accessed by an employee or potential employee for business purposes of the employer or to engage in business-related communications.
Specifically, an employer may not “require, request, suggest, or cause” an employee or job applicant to: (1) turn over access to his or her personal account; (2) access his or her personal account while the employer looks on; or (3) divulge any personal account. An employer also may not fire, discipline, threaten, or retaliate against an employee or job applicant for turning down an illegal request for access.
There are exceptions, however.
- An employer may conduct an investigation to ensure compliance with law, regulatory requirements, or prohibitions against work-related employee misconduct based on receipt of specific information about activity on a personal online account or service by an employee or other source.
- An employer may conduct an investigation of an employee’s actions based on the receipt of specific information about unauthorized transfer of the employer’s proprietary information, confidential information, or financial data to a personal online account or service.
- An employer may monitor, review, access, or block electronic data (a) stored on an electronic communications device that it pays for in part or in whole, or (b) traveling through or stored on an employer’s network, in compliance with state and federal law.
- An employer may get an employee’s login credentials to access an electronic communications device supplied or paid for in whole or in part by the employer.
- An employer may get an employee’s login credentials to access accounts or services provided by the employer or “by virtue of the employee’s employment relationship with the employer” or that the employee uses for business purposes.
- HB713 specifies that the proposed law is not intended to prevent an employer from complying with other law or the rules of self-regulatory organizations, and that the proposed law should not be construed to conflict with federal law.
OBSERVATIONS AND CONCERNS
Shoulder surfing nixed. The bill appears to make “shoulder surfing” by an employer illegal per se. Suppose an employee tells his boss, “Man, you cannot believe the whales my friend saw on her boat this weekend! She sent me a video of it on Facebook.” Intrigued, the boss says he wants to see the video. The employee obliges by logging on to her Facebook account while her boss watches over her shoulder. Did the boss unlawfully “request” that the employee grant him access to her “personal account”? Technically, yes. Note that HB713 has no exception for voluntary consent of the employee.
“Friending” employees might become illegal. Employers and employees sometimes connect on the same social network. While it isn’t always a good idea for an employer to “friend” an employee, it’s not illegal to do so—unless, perhaps, HB713 becomes the law. HB713 bans an employer from requesting that an employee “divulge any personal account.” Yet, that’s exactly what a friend request does—it requests access to portions of a social media account that can be viewed only by the account owner’s “friends.” The “divulge” language probably was intended to reach situations where an employer demands that an employee hand over access to another employee’s personal account. But as written, HB713’s prohibition against divulging any personal account could be interpreted to apply to innocent “friending.”
The line between personal and private is blurry. In a perfect world, employees would use business social media accounts strictly for business purposes and conduct all of their personal social media activity using separate social media accounts. That’s a best practice, not necessarily reality. The line between personal and business can get blurry in the social media space. It’s not unusual for employees to talk about work or promote their company within their personal social networks. If the employee uses his or her personal account for work purposes, shouldn’t the employer, who might have responsibility for the actions of its employee, be entitled to access the employee’s personal account in certain circumstances? On the other hand, to what extent must an employee use his or her personal account for work-related interactions before the employer should be allowed access to the account? These are difficult issues.
To address the issue, the latest draft of the bill tightens up the definition of “personal account” a bit and specifies that an employer may obtain login credentials from an employee to access “[a]ny accounts or services provided by the employer or by virtue of the employee’s employment relationship with the employer or that the employee uses for business purposes.” This language is somewhat vague. For example, what does “by virtue of the employer’s employment relationship with the employer” mean? It might well be that HB713 is trying to draw artificial distinctions between personal and work social media accounts when in practice, the distinction is sometimes fuzzy at best.
HB713 still has a few hurdles to overcome before it becomes law. Here at LegalTXTS, we’ll keep an eye out for the status of the bill.
UPDATE 2/19/13: HB713 has been scheduled for decision making on February 21. Its companion bill, SB207, passed second reading and has been referred to the Senate committee on Judiciary and Labor. Also, an updated chart of all Internet-related legislative proposals in the 2013 Hawaii legislative session is available here.
Two Hawaii bills that would ban employers from requesting employees or job applicants to disclose access information to their personal Internet accounts moved forward today. The House committee on Labor and Public Employment voted to recommend passage of HB713 with the amendments reflected in the HD1 version of the bill. HD1 amended the original bill to replace the term “social media” with “personal account”; define “personal account”; place the new legislation under the employment practices statute, HRS chapter 378; create an exception for law enforcement agencies conducting background checks of applicants for employment). HB713 now goes to the House Judiciary committee for review.
SB207, a companion bill to HB713, was also recommended for passage with amendments by the Senate committee on Technology & the Arts.
Employers should clarify ownership and control over social media accounts by which their employees promote the organization — Insynq v. Mann, No. 3:12-cv-05464 RBL, 2012 WL 3763550 (W.D. Wash. Aug. 29, 2012)
Earlier this year, the Phonedog v. Kravitz case attracted buzz on the issue of who owns a social media account that’s started by an employee, purportedly to promote his employer’s organization. In PhoneDog v. Kravitz, the former editor-in-chief (Kravitz) of an online news service refused to relinquish the Twitter account on which he posted content promoting the company. Kravitz argued that he owned the Twitter account because he personally opened the account and amassed its sizeable following of approximately 17,000 followers. PhoneDog sued Kravitz for ownership of the Twitter account.
The issue hasn’t gone away. The most recent case is Insynq v. Mann. In that case, the employee (Mann) of an application service provider (Insynq) registered three domain names during her employment and began writing three blogs associated with each domain name. After Insynq terminated Mann, it claimed ownership of the blogs. Mann refused to give her former employer the credentials to the blog. In the lawsuit that followed, Insynq sued Mann for breach of her non-compete agreement, misappropriation of trade secrets, and unfair competition.
Cases like PhoneDog and Insynq are a good reminder that if an organization has its employees managing its social media activity, it needs to clarify who owns the social media account used by the employee and the contents of the account. Otherwise, an organization might find itself fighting for control over a social media account after the departure of the employee responsible for managing the account. Not having such control could lead to alienation of a painstakingly developed community of customers or fans, or worse, the inability to exercise editorial discretion over content about the organization being pushed out to the community.
To avoid messy disputes over ownership and control over social media assets, organizations should consider the following guidelines when developing social media policies:
- Specify that only authorized employees may publish social media content on behalf of the organization, and that employees must use the organization’s official social media accounts when publishing such content.
- Specify who owns the login credentials to the social media accounts used to promote the organization, as well as the content published on such accounts.
- Require an employee who is responsible for managing the organization’s social media activity to disclose to his or her manager the login credentials for the accounts used for that purpose. The employee should also be required to disclose any changes to the login credentials.
- Prohibit employees from using the organization’s official social media accounts for their personal use.