The Main Event: Social Media Privacy Laws vs. Financial Industry Regulation

Posted by Emily Lange Rodecker on May 22, 2013

In one corner, there’s employee protection. In the other, securities regulation concerns. In the battle of security, what’s more important: employee privacy or industry regulation? As the number of U.S. states passing social media legislation to protect employee rights increases, so does the pushback from regulatory bodies.

In cases where your social media profile is public, the gloves are off. Your employer has the right to view your posts – as does everyone else in the world (you know, being public and all). But if you’re using social media in both business and personal contexts, and using only one account that you yourself created and are held accountable for, is it fair for the regulatory bodies to monitor and archive your business communications? Or is that hitting below the belt?

According to The Wall Street Journal 35 states have adopted, introduced, or begun work on social media privacy legislation since the start of 2013. Both the Financial Industry Regulatory Authority (FINRA) and the Securities Industry and Financial Markets Association (SIFMA) have sent multiple letters to the legislators pushing the bills, asking for modifications to regulate those in the financial sector, thus protecting investors.


This becomes a grey area when employees use their personal social media accounts for business communication related to their position. For example: in the financial industry, brokers and dealers often use their personal LinkedIn accounts to reach out to perspective clients, share industry related information, and interact with current clients. While that is a personal account, financial industries want to be able to protect the social public from potential Ponzi schemes, instances of fraud, and subjection to investor risk.

FINRA’s social media guidance, Regulatory Notice 10-6, published January 2010, requires those held to financial regulations to monitor and archive business communications made using social media. Even if employees use their personal devices to engage in such communication, the regulatory bodies believe it must be monitored and archived.

Without the ability to access social media accounts of employees, employers cannot comply with the supervision and record keeping responsibilities mandated by the financial industry regulatory bodies.

Acting as FINRA’s “corner man,” SIFMA supports the effort to provide more allowances for business social media use and has done its part to attempt to modify the language in each state’s proposed legislation. In letters to the various signers, SIFMA cited the 2012 American Century Investments study, which claimed that almost nine out of ten financial services professionals have social media profiles or accounts, 58% of those professionals use social media for business several times per week, and 27% use it for business on a daily basis. (Business use includes reading and posting commentary, monitoring and sharing relevant news, business promotion and brand building, sharing best practices, and obtaining customer feedback.) According to SIFMA, a “personal” account that is also used for business purposes should be treated as a business account.

SIFMA’s letters also include a quote from North American Securities Administrators Association (NASAA) president Heath Abshure:

“State laws and regulations require broker-dealers, investment advisers, broker-dealer agents and investment adviser representatives to maintain books and records relating to the firm’s business, which can include business communications made or transmitted using social media. To comply with these requirements, broker-dealers and investment advisers must be able to access social media accounts used by employees for business purposes. Legislation under consideration by certain states may prove problematic because, absent an appropriate carve-out, such laws would place broker dealers and investment-advisers in a precarious position where compliance with state privacy laws might cause them to run afoul of their supervisory and record-keeping responsibilities under state and federal securities laws and regulations, and vice versa.”

State legislators counterpunch with the belief that they are not only protecting employees’ right to privacy but also saving employers from themselves in the process. Requiring access to a prospective employee’s social media account that would also disclose personal information could backfire if said candidate was not hired. Employers could be subject to lawsuits suggesting the personal information gleaned from social media accounts such as appearance, political leanings, or sexual orientation played a role in the decision not to hire.

Some states are more aggressive than others in terms of blocking any and all attempts of employers to access current or prospective employee social media profiles. Maryland and Illinois, for example, include no provisions for firms to be able to access accounts that engage in business communications, though they do allow for employers to conduct investigations of employee misconduct that may necessitate social media account information. Utah’s Internet Employment Privacy Act offered a bit more clarification as to what rights employers have to require access to employee social media accounts, specifically those that are used for business communications or accessed from an employer-issued electronic device. It also protects employers in that they can still require access to accounts created, maintained, used, or accessed by employees and applicants for business related communications or a business purpose of the employer.

In New Jersey, Governor Chris Christie conditionally vetoed the state’s proposed social media privacy law, Bill 2878; he found it too broad. In it, employers are forbidden to ask potential employees if they had personal social media accounts, even if they were just trying to ascertain certain occupational skill levels. Christie, like the financial regulators, also found fault with disallowing employer access to social media account(s) used for business purposes.

While many of these laws prohibit employers from asking their current or perspective employees for access to their social media accounts and profiles, employers are allowed to promote workplace laws and procedures for how office equipment and Internet can be accessed for personal use. Employers also maintain the right to investigate instances where employee misconduct is causing reasonable concern.


If you’re allowing your employees to use social media for business, you’re already in the ring. So make sure you don’t get sucker punched! Update your social media policy regularly to ensure it informs and protects you and your employees based on the current legislation. Stay up-to-date on your state’s laws as well as the latest regulations put forth by your industry’s regulatory bodies.

What do you think? Should regulators throw in the towel and amend compliance laws? Or should state legislators add in provisions to help the financial industry regulate employees using social for business? We’d love for you to share your thoughts with us on Facebook, Twitter, or Google+.


Topics: Business, compliance, Compliance, employee privacy, FFIEC, internet privacy, legislation, regulatory bodies, secure social media, social media, social media compliance, social media legislation, social media privacy

Subscribe to the Gremlin Social Blog

Recent Posts