Lighting the way...

My Account




November/December 2012

Locked out...Strategies for complying with the Facebook Password Law
by Jackie Wernz

Jackie Wernz is an attorney with Franczek Radelet in Chicago and the author of Education Law Insights, an education law blog for school leaders at

Beginning January 1, 2013, a new Illinois law will limit the right of school districts and other employers to demand access to employee social networking accounts. This “Facebook Password Law” arose from good intentions but will have unintended consequences for employers, including public schools.

On August 1, 2012, Illinois became the second state to prohibit employers from requesting social networking passwords from current or prospective employees. On the House floor, Representative Mike Fortner explained the law would resolve a conflict between employer requests and the policies of websites like Facebook, which prohibit users from releasing their passwords to any third party.

Media reports suggested the law was a response to an uptick in requests for social networking passwords during job interviews, which many consider to violate privacy rights.

However laudable the intention, the final bill signed by Governor Pat Quinn went much further. Public Act 097-0875, which amends Illinois Code provision 820 ILCS 55/10, prohibits, with some exceptions, two types of employer conduct:

• Employer “requests” or “requirements” that an employee or prospective employee provide a password or other account information to allow the employer access to the employee’s or prospective employee’s social networking account or profile; and

• Employer demands for access “in any manner” to an employee’s or prospective employee’s social networking account or profile.

The Facebook Password Law thus addresses both current and potential employees. The prohibition against demanding access “in any manner” could go further than just prohibiting demands for passwords or account information to include asking for copies of information from within a password protected social networking account.  

The broad Facebook Password Law likely will have important unforeseen effects for employers like public school districts. The following are just a few potential consequences:

Investigations: Inappropriate employee communications with students, staff and other community members commonly occur through social networks, which foster personal communication even in otherwise professional relationships. School districts must thoroughly investigate allegations of such misconduct or risk liability.

Yet the Facebook Password Law contains no exceptions for even the most serious instances of workplace misconduct involving social networks. The law thus arguably could prevent a school district employer from obtaining offending messages or other content from a social networking website, which are perhaps the most relevant and decisive pieces of evidence in such an investigation.

In a dispute between employees, the law would even prevent a school district from asking a victim for a copy of an offending or inappropriate communication, let alone account access.

Open access laws: School districts must respond to requests for information under a number of open access laws: the Illinois Freedom of Information Act (FOIA); the Illinois Personnel Records Review Act (PRRA); the Illinois School Student Records Act (ISSRA); and Federal Educational Rights and Privacy Act (FERPA). These laws contain limitations providing that school districts must only provide records that they possess or control.

Yet, electronic records — even on a district employee’s personal social networking account — might be subject to these access laws.

For example, the Illinois Attorney General recently held that records generated on a public official’s personal electronic device or email account at a public meeting are “public records” subject to a FOIA request. While its limitations are unclear, this opinion conceivably could reach records that the Facebook Password Law, to the contrary, places outside school districts’ reach.

The same reasoning could also be applied to other public access statutes. As a result, school districts may find themselves in a Catch-22, required to provide records from an employee’s social networking account in response to a request, but prohibited by the Facebook Password Law from attempting to access them.

Litigation requests: In litigation, parties may demand documents from the other side to better make their case. These documents may, and increasingly do, include evidence from social networking websites.

For instance, one discovery consultant found 689 public court cases from 2010 and 2011 in which social media evidence played a significant role. While a school district reasonably may expect its adversary to seek evidence about an employee’s social networking website, the Facebook Password Law would prevent the school district from complying with this request. Courts can issue sanctions to parties who unreasonably fail to respond to discovery requests.

How to respond

In light of these uncertainties, school leaders may wonder how to respond.

First, school districts should revise any technology policies, procedures and guidelines regarding language suggesting that administrators may request or demand access to an employee’s social networking account or information found on such an account. This includes explicit language stating that administrators can demand or ask for access to such websites in an investigation, but also language suggesting that employees do not have an expectation of privacy when using personal social networking accounts for school-related purposes.

Such language should not be removed completely. The Facebook Password Law does not apply to other types of personal technology through which employees may conduct school-related business, such as personal e-mail or text messages on a personal phone. Therefore, governance documents should provide for access in those situations — but must not refer to social networking accounts.

 School boards also should provide training for administrators and other key personnel on the limitations of the new law. School districts should then consider the following steps to minimize the Facebook Password Law’s effect on their operations:

Back to basics

The new Facebook Password Law may limit access to one type of evidence in employee misconduct investigations, but it should not cripple those investigations. More traditional methods of investigation do not require asking an employee for social network account access and so do not violate the law.

Consider this hypothetical: A school board member receives a telephone call from the mother of a female student. The mother says that her student is having an illicit relationship with a male teacher, which allegedly has been occurring online, through private messages on the student’s and teacher’s password protected Twitter accounts.

What can the school district do, and what does the Facebook Password Law prohibit? Asking for any messages between the teacher and the student would likely violate the new law. But the Facebook Password Law does not prevent the school district from:

• Interviewing the teacher. The new law does not limit asking an employee about his social networking account.

• Looking for publicly available online material. Perhaps the teacher has a publicly accessible Facebook account with numerous postings by the student on the teacher’s “wall.”

• Demanding access to relevant e-mail, text message, and instant message accounts if district policy or procedure allows it and there is reason to believe that illicit communication occurred through those accounts.

• Obtaining relevant documents in possession of any law enforcement agency. The police are not limited by the Facebook Password Law, and may have copies of the offending messages. Requests can be made formally through FOIA or informally through relationships with local law enforcement officials.

• Determining if any other party can provide a copy of the message. If the student allows access to her social networking account, there is no violation of the law, even if the school district asks the student or parent for access to the student’s account.

• Interviewing witnesses to obtain their description of what the messages contained. Perhaps the mother saw a glimpse of a message and can report the content. Perhaps the student is willing to provide a statement about the content of the message or other details about the relationship.

No matter what, school districts should not hide behind the Facebook Password Law as an excuse to fail to conduct a thorough and prompt investigation.

Lower expectations

Although a school district cannot avoid a conflict between the Facebook Password Law and open access laws and discovery requests it may receive, it can set expectations early to avoid surprise later.

For example, the Illinois FOIA contains an exemption for records the release of which would violate state law, and FOIA procedures and response letters can include language making clear that information covered by the Facebook Password Law will not be released for that reason. Similarly, district counsel should discuss early on with opposing counsel the court limitations that it will face in producing relevant evidence in light of the Facebook Password Law.

Shut ’ em down

Perhaps the most difficult decision the new law foists on school boards is whether to strictly limit an employee’s ability to communicate with students through social networking websites. Educators commonly point to the benefits of communicating with students through social networking websites. Yet the risks for the school district could be great if employees are allowed to use such methods of communication without any employer supervision.

School districts may wish to revise employee communication policies, procedures or guidelines to prohibit use of social networking websites to communicate on school-related business. The school district can discipline an employee who chooses to violate that prohibition even without knowledge of the specific content of the message. This move may not be popular, but it would limit a district’s exposure.

Even if the legislature adds reasonable exceptions for the Facebook Password Law, school districts should prepare for its implementation. Although preparation will not completely remove the hurdles created by the Facebook Password Law for school districts, districts can at least minimize some of the impact of the law on school district operations.

Table of Contents


Mandatory Board Training
Click on Banner for More Information

Although the IASB Web site strives to provide accurate and authoritative information, the Illinois Association of School Boards does not guarantee or warrantee the accuracy or quality of information contained herein.

Copyright 1999-2017 by the Illinois Association of School Boards. All rights reserved.
IASB Privacy Policy Statement