Michigan's New Social Media Privacy Law Bucks the Trend (and Starts a New Trend?) by Allowing Broker-Dealers to Comply with FINRA Rules
Beginning in 2012, several state legislatures have proposed new laws to restrict employers from requesting or requiring employees or applicants to provide their social media user names, passwords and account information. On December 28, 2012, Michigan became the fourth state — following Maryland, Illinois, and California — to enact such laws when the Internet Privacy Protection Act (H.B. 5523) (“Michigan Act”) was signed into law, effective immediately. Certain of these state laws, as enacted or proposed, could potentially put broker-dealers in between the proverbial rock and a hard place: complying with the state law might be deemed to violate applicable Financial Industry Regulatory Agency (FINRA) rules, but complying with FINRA’s rules might be deemed to violate the state law.
The social media privacy laws that have passed in Illinois, Maryland and California are potentially in conflict with the monitoring and recording requirements for broker-dealers under FINRA regulations, which mandate that broker-dealers must review any social media site that an associated person intends to use for a business purpose to ensure that the associated person can and will comply with all applicable regulatory rules and securities laws. The Michigan Act, however, is the first of such social media privacy laws that includes a carve-out for members of the financial services industry to comply with FINRA rules and securities laws.
I. FINRA’s Rules Requiring Supervision of Communications on Social Media Sites
FINRA has issued various Regulatory Notices addressing the obligations of securities firms with respect to the use of social media, noting that “the content provisions of FINRA’s communications rules apply to interactive electronic communications that the firm or its personnel send through a social media site.” FINRA Regulatory Notice 10-06 (Jan. 2010). Regulatory Notice 10-06 also states:
Firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised, have the necessary training and background to engage in such activities, and do not present undue risks to investors. Firms must have a general policy prohibiting any associated person from engaging in business communications in a social media site that is not subject to the firm’s supervision.
To ensure compliance, broker-dealers “must review prior to use any social media site that an associated person intends to employ for a business purpose [and] approve use of the site for a business purpose only if the registered principal has determined that the associated person can and will comply with all applicable FINRA rules, the federal securities laws, including recordkeeping requirements, and any additional requirements established by the firm.” FINRA Regulatory Notice 11-39 (August 2011). Furthermore, broker-dealers “must be able to retain, retrieve and supervise business communications” even when conducted on social media sites through the use of the associated person’s personal computer or other device. Id.
II. The Conflict for Broker-Dealers with Social Media Privacy Laws
In addition to the four states who have enacted social media privacy laws directed at employers, comparable legislation is pending before at least eighteen other states and both the U.S. Senate House.  These enacted and proposed laws share a common general prohibition against employers coercing or requiring employees or job applicants to provide social media account passwords or access their social media accounts in the presence of the employer.
This prohibition creates a potential conflict for broker-dealers, who must follow FINRA’s mandates with respect to the supervision of their associated persons’ activity on such sites. An obvious way to harmonize these conflicting rules — as Michigan has done — is the inclusion of a carve-out in the social media law for any employer who is otherwise obligated to monitor and supervise its employees’ social media activity.
Last year, FINRA and the Securities Industry and Financial Markets Association (“SIFMA”) targeted the proposed California law in an effort to convince legislators to incorporate a financial services industry exception to the general prohibition. California’s A.B. 1844 illustrated the conundrum posed to broker-dealers in that complying with FINRA’s rules will potentially violate the California law, but complying with the California law will potentially violate FINRA’s rules. In June 2012, both FINRA and SIFMA submitted comments on to California’s legislature to express these concerns and to propose the carve-out solution.  The exemption language, proposed by FINRA (with similar language proposed by SIFMA):
This act shall not apply to the personal social media accounts or devices of a financial services employee who uses such accounts or devices to carry out the business of the employer that is subject to the content, supervision, and retention requirements imposed by federal securities laws and regulations of a self-regulatory organization as defined in section 3(a)(26) of the Securities Exchange Act of 1934, as amended.
FINRA’s and SIFMA’s suggestions were rejected, and the California law as proposed was signed into law on September 27, 2012. Maryland’s social media privacy law — which, in May 2012, became the first such law passed in the nation — contains limited carve-outs, including permitting an employer to: (1) require the disclosure of certain employee user name and passwords for accounts that “provide access to the employer’s internal computer or information systems” and (2) conduct an investigation, “based on the receipt of information . . . for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirement.”  These carve-outs are far too limited, however, to allow a broker-dealer to be sure FINRA will agree that it is satisfying its ongoing monitoring and supervision obligations with respect to social media sites.
The Illinois law — signed into law in mid-2012 — allows employers to obtain employee or prospective employee social media information that is “in the public domain.  Although access to publicly available activity on social media sites might be useful for broker-dealers in monitoring and supervising at least some of their associated persons’ online activity, full compliance with FINRA’s rules — namely, monitoring and supervising non-public social media communications — would still remain potentially at conflict with state law.
III. Michigan’s Internet Privacy Protection Act
The Michigan Act is the first of the social medial privacy laws that includes a carve-out that would allow securities firms to comply with applicable FINRA and SEC rules with certainty. Similar to the general prohibition either enacted or proposed in other states, under the Michigan Act an employer shall not:
(a) Request an employee or an applicant for employment to grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal internet account. 
(b) Discharge, discipline, fail to hire, or otherwise penalize an employee or applicant for employment for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the employee’s or applicant’s personal internet account. 
The Michigan Act includes an exception for an employer investigation initiated based on information relating to an employee’s social media activity.  But unlike in the Illinois, Maryland, or California social media privacy laws, the Michigan Act includes a specific carve-out that extends to securities firms:
2) This act does not prohibit or restrict an employer from complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization, as defined in section 3(a)(26) of the securities and exchange act of 1934, 15 USC 78c(a)(26).
While this language is not identical to the language FINRA and SIFMA proposed in connection with the California law, it would appear to accomplish the same purpose.
IV. Proposed Social Media Privacy Laws: Will the Michigan Act Spark a Trend?
Unfortunately for broker-dealers, the majority of the pending state social media privacy laws do not contain an exemption for compliance with FINRA rules. Indeed, only two states — Delaware and Colorado — have proposed social media privacy laws that include an exemption similar to Michigan’s. Delaware’s proposed law provides:
This Act shall not prohibit employers in the financial services industry, who are subject to the laws and regulations of the SEC, FINRA, or other financial regulators, from conducting internal investigations into employee wrongdoing, complying with the supervision requirements of the SEC, FINRA or other financial regulators, or achieving waiver of the personal communications protections in employment contracts. 
While Delaware’s proposed exemption language appears broad enough to allow full compliance, it is less clear whether Colorado’s proposal goes as far.  Although Colorado’s proposal allows an exception to the general prohibition for “compliance with applicable securities or financial law or regulatory requirements,” it is limited to the employer “conducting an investigation . . . based on the receipt of information” that the employee is using social media “for business purposes.” This would appear potentially to limit the circumstances in which a broker-dealer can monitor and supervise its associated persons’ social media use on a routine basis, as FINRA rules require.
The pending laws in the remaining states do not contain a provision specifically allowing for broker-dealer compliance with FINRA rules. At most, these states provide for the limited exceptions to the general rule as found in the laws of Illinois and Maryland. 
The Michigan Act is a positive step forward for broker-dealer compliance with FINRA’s rules. Whether this development will spark a trend toward greater compatibility of social media protection laws with financial services industry compliance requirements remains to be seen. As more states propose social media privacy laws, and as pending state legislation moves through the legislative process, the Michigan Act may stand as an exemplar of balancing the privacy concerns of employees with the obligations of broker-dealers to comply with well-established FINRA rules.
Until clarity is provided on a state-by-state basis, broker-dealers may want to maintain — or implement, if none exists — a policy prohibiting employees’ use of social media for business purposes. In addition, firms should appoint a social media representative to monitor developments in the law and implement firm policies accordingly.