Risk
10/1/2012
09:58 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

California Passes Tough Social Media Privacy Laws

Employers and colleges in the state now forbidden from demanding social media logins and related material from applicants.

California jobseekers with a penchant for the semi-scandalous can breathe a sigh of relief--sanitized Facebook accounts are no longer a prerequisite to employment. Thanks to two bills signed into law Thursday, businesses and schools throughout the Golden State are now prohibited from demanding that applicants share social media credentials and related private content.

In a gesture that fit the occasion, Governor Jerry Brown used a number of social media platforms to announce that he'd signed the legislation. The bills--AB-1844, which bars employers from demanding social media-related material, and SB-1349, which defines a similar policy for colleges and prospective students--were authored by state representatives in the tech-rich Bay Area and will go into effect January 1.

The vetting of social media content first national drew attention in February 2011, when a Maryland corrections officer revealed that he'd been required to provide his Facebook user name and password as part of a recertification process. The practice proved incendiary; opposing parties included purveyors of legal but off-color online antics, job applicants put off by the invasive request, the ACLU, and--in a move that raised eyebrows due to the company's sometimes nebulous privacy policies--Facebook itself.

[ California lawmakers have been busy. See Google Autonomous Cars Get Green Light In California. ]

Despite debates, the use of social networks for hiring purposes has been fairly widespread. A CareerBuilder survey found that around two-fifths of polled employers were using social networking tools to screen candidates as of last spring. This figure was down 18% relative to a 2009 version of the same study, suggesting the tactic might be losing favor. An additional 11% of the 2012 respondents reported plans to incorporate social media into hiring policies, however, so such conclusions are speculative. A Eurocom Worldwide study released around the same time drew comparable conclusions.

Whatever the rate of adoption, the policies have impacted hiring decisions. The Eurocom study found that around 20% of executives had chosen not to hire someone based on his or her social media profile. CareerBuilder, meanwhile, found that 12% of the companies that screen social networks do so expressly to look for undesirable behavior. This figure might undersell the real impact, as many respondents reported using social networks for goals so broad as to include virtually anything--such as assessing whether a candidate is "well-rounded."

Though rejected applicants attract headlines, hiring processes that include social media checks have actually helped some people find work; CareerBuilder found, for example, that 29% of the companies that check online profiles have found reasons to hire someone while doing so. A study in the Journal of Applied Psychology, meanwhile, somewhat validated the vetting technique, concluding that assessments drawn from social media screenings correlate with actual workplace performance. The researchers argued that more research is necessary, however.

Washington, D.C.-based attorney Bradley Shear served as an adviser to the California bills' respective authors and has frequently analyzed the use of social media monitoring in his blog. In an interview, he said difficulties with social media predate the employer-driven controversies. Universities, he stated, had already been using reputation monitoring services such as UDiligence and Varisty Monitor to keep tabs on high-profile student athletes. He characterized the practice as "very troubling" and potentially in violation of some laws, but countered that it took broader privacy concerns and Constitutional objections to foment public debate.

Indeed, California state Sen. Leland Yee, author of SB-1349, cited such broad concerns as an impetus for new legislation in a May interview with KQED Public Radio, declaring that even if social networks contain information in which employers might have legitimate interest, they also contain information that businesses are legally forbidden from collecting, such as religious affiliation and sexual orientation.

Shear described the monitoring of student athletes as emblematic of why California's new laws benefit not only privacy advocates but also businesses and institutions. "With access comes responsibility," he asserted, explaining that if an individual whose profile is being watched commits a crime, the monitors could be criminally liable if they're found to have overlooked or neglected warning signs expressed in social media. Others have similarly questioned whether employers might be vulnerable to lawsuits from rejected applicants who allege discrimination.

Shear also stated that economic dangers are implicit when hiring managers include social media in the application process. To combat perceived privacy intrusions and maximize appeal to employers, many candidates create false, anodyne accounts that skew social networks' respective user figures. This trend, he said, distorts advertising data, negatively impacting the bottom line of not only the social networking services but also the companies that rely on them for marketing strategies. Other jobseekers that simply opt to stop using social media, he said, only exacerbate this phenomenon.

The new laws are "common sense from both privacy and litigation perspectives," Shear asserted, because "they shield [businesses] against potential litigants." He said AB-1844 and SB-1349 are ultimately "pro-privacy, pro-business, and pro-technology" because they strike a proper balance among all parties' individual concerns.

Maryland and Illinois have adopted similar laws that extend only to employees, and Delaware passed legislation that applies only to students' social media accounts. When California's new restrictions become enforceable in 2013, the state will boast the most comprehensive set of regulations.

This status might be fleeting, however; several more states are considering laws of their own, and SNOPA, a federal-level version, is currently working its way through Congress.

Social media make the customer more powerful than ever. Here's how to listen and react. Also in the new, all-digital The Customer Really Comes First issue of The BrainYard: The right tools can help smooth over the rough edges in your social business architecture. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Deb Donston-Miller
50%
50%
Deb Donston-Miller,
User Rank: Apprentice
10/3/2012 | 11:36:24 PM
re: California Passes Tough Social Media Privacy Laws
I think it is good that laws are being passed preventing employers from asking for (or demanding) the keys to job candidates' social kingdoms, but many companies are looking at how candidates present themselves online--what kind of social "equity" they have built up in terms of friends/followers/followees/content developed/content shared. Of course, this kind of information isn't relevant for all jobs--maybe not even most--but I think it's relevant for an increasing number of positions.

Deb Donston-Miller
Contributing Editor, The BrainYard
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.