As the new year approaches, we recommend employers take the time to review some key employment policies that can mitigate litigation risk. Two areas in particular to review are diversity, equity, and inclusion (“DEI”) training materials and your social media privacy policies, which limit employers’ access to their employees’ accounts. In this article, we highlight key considerations when reviewing these policies.
DEI training may expose you to litigation risk.
In September 2025, the U.S. Court of Appeals for the Second Circuit issued a decision that serves as a warning for all employers to review their employee training on DEI and implicit bias. DEI or implicit bias trainings remain lawful and good practice for employers. However, how employers implement and manage those trainings matters. In Chislett v. New York City Department of Education, the Second Circuit held that a jury could find that the employer’s DEI and implicit bias trainings and subsequent workplace conduct created a racially hostile environment for a white employee. The employee in Chislett pointed to training content that described “white culture” in negative, essentialist terms; exercises that physically sorted employees by “privilege”; and repeated accusations by colleagues that her management actions reflected “white privilege” or “white supremacy.” She complained repeatedly to supervisors and through counsel about the trainings, but management failed to intervene. Although the employer in that case was a public employer, the court’s hostile work environment analysis applies equally to private employers.
The case serves as a warning that in such trainings, employers should avoid repeatedly emphasizing negative racial stereotypes and singling out employees based on race. Training content should never repeatedly stereotype a racial group. For public employers, the opinion highlights potential Section 1983 exposure via Monell where leadership’s inaction amounts to a policy or custom.
We recommend employers review your training materials and scripts to align polices with these best practices:
- Avoid stereotyping in training content. DEI and bias programs should not ascribe negative, deterministic traits to any racial group or label ordinary workplace behaviors as racialized pathologies.
- Refresh materials and training protocols to emphasize inclusion without stereotyping, and consider periodic external legal reviews of higher-risk content and practices.
- Avoid training exercises that physically segregate employees by race or “privilege” or otherwise single out employees based on protected characteristics.
- Exercise robust oversight of your training team and make sure they understand the risks associated with improper content in trainings.
- Moderate discussions in trainings to prevent personal targeting, shaming, or group-based stereotyping.
- Maintain guardrails by establishing and enforcing participation ground rules that prohibit harassment or derogatory generalizations about any protected group.
- Train supervisors and managers to promptly intervene in real time if discussions turn hostile and document interventions.
- Ensure your company has safe avenues for employees to raise concerns about training content or workplace interactions.
- When a concern is raised about training content or workplace interactions, acknowledge it, investigate the matter, and respond promptly. Document steps taken and any remedial actions.
- Provide guidance on handling post-training conflict, including how to address “race-coded” accusations directed at performance management or routine supervisory decisions.
- Reinforce that all employees are entitled to a workplace free of harassment, including harassment based on race, regardless of the employee’s racial identity.
Your policy and practices for accessing employees’ personal accounts must comply with your state’s social media privacy laws.
Another area ripe for liability is employers’ policies on this access to employees’ private social media accounts. Employees are increasingly fluent in social media, and many turn to posting about their workplaces online. It is a good idea to have policies about employees’ social media conduct, and in creating those policies, employers should familiarize themselves with their state’s laws, which may limit employers’ access to employees’ social media.
In New York, for example, Labor Law § 201‑I prohibits employers from requesting or requiring employees or applicants to disclose usernames, passwords, or other credentials to social media accounts that are used exclusively for personal purposes. You can read more about the Employee Personal Account Information Law in our September 2023 New York Labor Law alert. Connecticut and Illinois have similar laws, which prohibit employers from requiring (or in some cases, requesting) that an employee or applicant provide access to their personal online account(s) or provide their login credentials to their employer; authenticate or access a personal online account in the presence of such employer; or invite such employer or accept an invitation from the employer to join a group affiliated with any personal online account of the employee or applicant. See Conn. Gen. Stat. § 31-40x. (2024); 820 ILCS 55/1 et seq. Likewise, New Hampshire prohibits employers from requesting or requiring that an employee or prospective employee disclose their login information for personal accounts, grant them access to the accounts, or reduce the accounts’ privacy settings to allow a third party to view the contents of the account. See NH RSA 275:74. Under each of these laws, employers may not discipline, threaten, discharge, or refuse to hire based on an individual’s refusal to provide their employer with credentials for personal accounts.
Employers in Rhode Island are likely familiar with their state’s employee social media privacy law, which has been in effect for over a decade. Similar to the New York law, Rhode Island’s law prohibits employers from (1) requiring job applicants or employees to disclose their social media passwords or from requiring applicants or employees to access their accounts while in their employer’s presence; (2) requiring employees or applicants to add individuals to access their accounts or change the settings on social media accounts so the content is publicly available; and (3) discharging, disciplining, or otherwise penalizing any employee for refusing to provide access to their private social media accounts (and from threatening to do so).
Other states, such as Massachusetts, do not have any such laws specifically banning employers from asking for social media access. However, it may still be in the company’s best interest to implement policies geared at limiting their access to employees’ personal accounts.
The social media privacy laws include exceptions. In New York, Connecticut, Illinois, New Hampshire, and Rhode Island, employers can require credentials for employees’ business accounts and systems. Employers can also rely on content voluntarily provided by third parties (e.g., screenshots from someone who already has access to the content) when investigating employee misconduct. Rhode Island has a broader exception, allowing employers to require their employees to provide access to social media accounts and content when reasonably necessary to investigate workplace misconduct or to address a work-related violation of any statute or regulation. Similarly, if a New Hampshire employer receives notice of employee misconduct based on information about activity on an employee’s personal account, the employer may require the employee’s cooperation in its investigation to share only the content that has been received by the employer.
In addition, the laws do not shield employees who engage in unlawful conduct or conduct that violates employees’ policies online. Employers can enforce neutral rules protecting confidentiality, intellectual property (“IP”), safety, and anti‑harassment/anti‑discrimination standards. Employers may also rely on public content or evidence voluntarily provided by third parties during investigations. As with all policies, it is important to apply the policy consistently and carefully document employer action.
As employers review social media policies and investigation protocols, we recommend prioritizing these updates:
- Define the boundaries of what you will access as the employer by distinguishing between personal and business accounts.
- State in your policy that the company will not request personal credentials, but may require credentials for business accounts and systems.
- Clarify that the company may use public information and content voluntarily provided by third parties, and prohibit any practice that coerces access to personal accounts.
- Prohibit disclosure of confidential or proprietary information on any platform.
- Provide examples in your business’s social media guidelines of prohibited conduct (e.g., harassment, threats, discriminatory statements, disclosure of confidential information) while avoiding rules that chill protected concerted activity or whistleblowing.
- Confirm your investigation procedures rely exclusively on permissible evidence.
- Train HR, managers, and recruiters on hiring and investigation do’s and don’ts under your state’s applicable laws.
Finally, multi-state employers should review social media laws in every state where they have employees and harmonize policies accordingly.
Bottom Line
Taking time to review your employment policies and practices can help mitigate the risk of employee lawsuits. DEI and implicit bias efforts remain lawful and important. In developing them, it is equally important to ensure that these programs do not devolve into repeated negative characterizations of any racial group or invite hostile workplace conduct. Likewise, employers should review and update their social media policies to align with all state and local legislation. In addition, it is important to train stakeholders and review investigation protocol to ensure alignment with policies to avoid requests for personal credentials while enforcing neutral rules that protect confidentiality, safety, and a harassment‑free workplace.
