Update: The bill was sent to the Subcommittee on Special Issues (EX) - Members in the Senate with a May 31st deadline. (If you want to contact your state Senator now would be the time).
While you should always separate work from personal, for efficiency sake and to sometimes just be a better employee you use a personal email or a social media profile to quickly respond to a work inquiry. Well, under a new proposed bill that passed out of the Illinois House, your effort to be a better employee just may have opened up all of your non-work related personal information for your employer to view. Illinois House Bill 1047 passed on April 19 on a 69-35 vote and is now headed to the Illinois Senate.
The bill addresses the concern employers have regarding gaining access to business accounts but goes too far in allowing employers to gain access to personal accounts. Under the proposed law:
An employer may request or require an employee to disclose any user name and password, password, or other means of authentication for accessing any accounts or services provided by the employer or by virtue of the employee's employment relationship with the employer or that the employee uses for business purposes.
It is the last part of that addition that should concern quite a few of you. With no clear definition regarding business purposes, the proposed law allows employers to require access to your internet accounts that you may have used for business purposes even only one.
Respond to a tweet or a Facebook post for work on your personal profile, and your personal messages between you and your ex may now be requestable. I know, I have been guilty of this when just last year my employer's server went down and I started corresponding with a vendor on my personal account to make sure a product went to print on time. Under this proposed law, it is possible my employer will now be able to require I hand over my password.
The law also doesn't take into account the reality of the Internet, specifically how employer accounts are managed. Take for example Facebook, that allows employers to assign administrative status to personal profiles in order for the employee to update the company page. Would this action be considered under the ambiguous "employee uses for business purposes" language?
What happens when an employer opens up emails between the employee and their family regarding health issues or financial distress. We share (often too much) our most personal conversations and details via our online profiles with an expectation that they are not public. This law has the potential to undo that. The irony, of course, is rich in a state with two-party consent and some of the toughest eavesdropping laws on the books. Apparently in the Illinois legislature, your right to privacy ends where corporate paranoia begins.
The obvious answer is to keep your profiles completely separate, but as most of us know work and personal time are ever co-mingling and employers are expecting a more 24/7 response time. It is also not clear from the law if you stopped now, if your previous actions wouldn't trigger this intrusion. I fear, a lot of us maybe deleting profiles and starting new fairly soon.
The law goes even further in Subsection (4) in that it states that "Nothing in this subsection shall prevent an employee from conducting an investigation." Even if you have never used your personal accounts for business use, your employer may still be able to require you to hand over your personal account username and passwords if they have (undefined in the bill) specific information that you may have violated the law or company policy.
It is hard to see a valid purpose why employers need access to personal profiles. What the law does is just allow employers to avoid legal fallout from denying the employee's due process. If someone steals your car and parks it in their garage, you do not need a law from Springfield to require keys to that garage so you could check the status of someone's personal space; you would file a complaint with the police, and through legal channels gain access to your vehicle. Why couldn't an employer follow the same process for investigations that require access to personal profiles of employees? Why should an employee's due process be denied for corporate ease?
Undoubtedly this law (if passed) will end up in the courts to define, but not until several residents of Illinois have their lives turned completely upside down. One can only hope the Illinois Senate either removes the personal account access provisions or, at minimum, amends the bill to better define what constitutes business purposes and that personal profile accounts can only be access through (previously passed Acts) using the Justice System.
Considering the bipartisan nature which it passed in the Illinois House, I am not betting on it.
Filed under: Uncategorized