New Social Media Privacy Laws Raise Questions for Financial Firms

Across the nation, states are passing new laws that prevent employers from demanding passwords and access to the personal social media accounts of their employees or potential hires.

In a time when the line between personal and business use of Twitter, LinkedIn, and Facebook is increasingly blurred, however, these laws may have unintended consequences that force legal and compliance departments to rethink their current approach to social media.

California, Maryland, and Illinois have enacted legislation that, starting next year, prohibits employers from requesting or requiring an employee or applicant to disclose user names or passwords for personal online accounts. Fourteen other states have introduced similar bills this year, and members of Congress proposed federal legislation in May, the Password Protection Act of 2012, with the same goal.

While few have questioned the good intentions of the laws, many in the financial industry are concerned that they could weaken investor protections. For example, the Securities Industry and Financial Markets Association says such laws could hurt financial firms' efforts to police communication between brokers and clients. The law “conflicts with the duty of securities firms to supervise, record, and maintain business-related communications as required by the Financial Industry Regulatory Authority,” the association wrote in a letter last month to California Governor, Jerry Brown, prior to his signing that state's legislation into law. 

Financial firms are concerned that many employees use the same account for personal and business activity. FINRA requires securities firms to supervise, record, and maintain their employees' business communications—including those disseminated on social media sites. Under these rules a “personal” account used for business purposes must be treated as a business account.

“Denying securities firms access to personal social media accounts where business is being conducted directly conflicts with FINRA regulations,” SIFMA wrote. “It also puts customers at risk, as it will be much harder for firms to detect serious problems, including: misleading claims by an employee, such as the promise of an unrealistically high rate of return on investment; insider trading, Ponzi schemes, and other fraudulent activity; and inappropriate conduct such as the selling of investment products that are not approved by the firm.”

Bradley Shear, a California-based attorney who has advised federal and state lawmakers on social media privacy laws, says that the financial industry's initial response to California's new law may be an “overreaction” because the final version allows employers to access employees' personal social media accounts if there is an investigation into allegations of employee misconduct or a violation of applicable laws or regulations. 

During the bill's consideration, SIFMA sought an industry exemption that read:

“This act shall not apply to the personal social media accounts or devices of a financial services employee who uses such accounts or devices to carry out the business of the employer that is subject to the content, supervision, and retention requirements imposed by federal securities laws and regulations or a self-regulatory organization.”

That language was rejected by the sponsor, although the bill was amended to permit the exceptions for cases where there is an investigation into misconduct. In its own comment letter to Brown, FINRA expressed its concern that the exception doesn't go far enough: “While this language is helpful, account access is permitted only after alleged misconduct is somehow discovered or reported. It does not address securities firms' need to monitor, record, and retain business-related communications on personal social media sites.”

Shear says a better solution is for financial firms to create social media policies that employees fully understand. In advising financial firms, he also cites the importance of adequate and ongoing training.

“When company employees have a public face, that public persona doesn't lend itself neatly into distinguishing between company efforts and personal efforts.”

—Eric Goldman,

Professor,

Santa Clara University

“California's new law may lower compliance costs for the financial services industry because it is unreasonable to expect a company to have a duty to monitor their employee's personal digital content in case an employee makes a business post on a personal account,” Shear says. “Employers should only have a duty to monitor business social media accounts and not personal accounts.”

Eric Goldman, a Santa Clara University Professor who specializes in technology legislation, however, raises what he sees as serious concerns about the flurry of new laws, in particular California's new law which will likely serve as a model for other states.  “When company employees have a public face, that public persona doesn't lend itself neatly into distinguishing between company efforts and personal efforts,” Goldman says. “It doesn't really matter what the formal policy says. In practice, we all know people are going to be making dual uses of any technology we provide to them. If laws don't acknowledge that, the laws are going to be wrong.”

Critics of the California law are also concerned that it defines “social media” too broadly. “The law talks about social media accounts, but it is not limited to that,” Goldman says. “It is basically applied to anything in an electronic format. That strikes me as hugely problematic in a financial institution where data can reside in a lot of different places. Trying to understand the consequences of this is baffling to me. I think that is where a lot of employers are going to get caught if they don't actually read the statute and think about what it means to them. “

Eric Morehead, senior compliance counsel at Corpedia, a compliance, ethics training, and risk-assessment consultancy, agrees that the sweeping definition may prove problematic.

Although there is an exemption in the California law for gaining access to company-issued smartphones, tablets, and laptops, what if someone is sending an e-mail, text message, or blog post from that equipment? “It is a catch-22,” Morehead says. “The exception is there so you can still get passwords for the devices, but not the accounts. I think they are setting themselves to up for litigation at some point over that definition because it is so broad.”

Blurring of the Lines

SIFMA LETTER

Below is an excerpt from a Sept. 5 letter to California Gov. Jerry Brown from the Securities Industry and Financial Markets Association, that unsuccessfully urged his veto of new legislation prohibiting employers from requiring employees to provide access to their personal social media accounts:

The bill, while well-intended, conflicts with the duty of securities firms to supervise, record, and maintain business-related communications as required by the Financial Industry Regulatory Authority (FINRA). If the bill is signed, firms will be placed in the untenable position of having to violate either state law or their FINRA obligations.

The securities industry has absolutely no interest in accessing employee accounts that are used exclusively for personal use. The problem, however, is that many people use the same account for both personal and business activity.

SIFMA strongly believes that a “personal” account that is used for business purposes must be treated as a business account.

To protect investors, FINRA requires, among other things, that securities firms supervise, record and maintain their employees' business communications – including those disseminated on social media sites. This is spelled out in several different FINRA rules and regulatory notices, including:

Securities firms must establish procedures for the review of registered representatives' written and electronic business correspondence.

Firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised.

A firm's procedures “must be reasonably designed to ensure that interactive electronic communications do not violate FINRA or SEC rules, including the prohibition on misleading statements or claims and the requirement that communications be fair and balanced.

Denying securities firms access to personal social media accounts where business is being conducted directly conflicts with FINRA regulations. It also puts customers at risk, as it will be much harder for firms to detect serious problems, including: misleading claims by an employee, such as the promise of an unrealistically high rate of return on investment; insider trading, Ponzi schemes and other fraudulent activity; and inappropriate conduct such as the selling of investment products that are not approved by the firm.

Source: Securities Industry and Financial Markets Association.

In August, the Securities and Exchange Commission issued a long-awaited, but controversial, rule proposal to eliminate the ban on advertising and other forms of “general solicitation” in private offerings made in reliance on Rule 506 of Regulation D of the Securities Act. That requirement of the JOBS Act allows the easing of advertising restrictions provided that purchasers are accredited investors.

The easing of solicitation rules could make the new laws restricting employers from accessing employee social media activity by state legislators even more problematic, potentially encouraging more people to ignore the line between personal and business outreach as they use social media as a means for “solicitation?”

“Obviously it is another area that broker-dealer firms will need to create procedures to monitor,” says Michael Hermsen, a partner with the law firm Mayer Brown and former assistant director of the SEC's Division of Corporation Finance. “But that should also be the case today with public offerings.  A broker could try and use a personal account today and the broker-dealer would have the same issues. It just will probably require heightened internal procedures and monitoring to try and catch a rogue broker. Crowdfunding will just add to this when it becomes effective.”

“If I'm a salesperson, job number one for me is to make money and to bring in clients,” says Sara Jane Shanahan, co-chair of the business litigation and social media and digital technology practice groups of the law firm Sherin and Lodgen.  “Maybe one day I'm going to think, ‘Well, I'm going to expose my personal account to the company and see what happens because I need to develop my business.'”

Shanahan says companies must have policies and training in place to, as best they can, to curb such behavior. They need to treat social media the same as they would any other company asset, with rules and procedures to protect that intellectual property.

“The more you communicate with your workforce the better you are going to be able to articulate to a court someday that an employee didn't have any expectations that this was a personal account,” she says. “You can talk to the judge about the written policies, the training an employee went through, and the consent form they signed. Just as they do when businesses give someone an e-mail account in the corporate name, or issue an iPad or iPhone,  there ought to be an ability for  business to set up a protocol for issuing a social media account.”