Social networks: Not just for kids. Unlike its college-campus origins, Facebook is now the second most-popular site for professional networking, after LinkedIn. So said Anthony Zaller and Brian Van Vleck, partners in Los Angeles employment law firm Van Vleck Turner & Zaller. MySpace, by contrast, remains primarily a social site. And Google, founded in 1996, is the second most-visited site in the world. The lawyers refer to such sites collectively as Web 2.0. HR professionals use them, both to check the backgrounds of candidates and employees and to identify possible candidates for recruitment. In a Vault survey last year, 44 percent of employers reported checking applicants' backgrounds on social sites, and 39 percent said they had searched an existing employee.

But are there pitfalls to such searches? One aspect you might not suspect is the sites' own terms of service: Facebook, MySpace, and others prohibit their use for "commercial purposes," which includes personnel screening. However, say Zaller and Van Vleck, the courts have not yet taken such terms of service very seriously, so they don't present a big barrier for employers.

What are the real risks? The biggest drawback to such searches is what Zaller says his kids call "TMI," for too much information, about a candidate. You might learn something that falls outside the Equal Employment Opportunity's guidelines for appropriate interview questions, such as an individual's physical disability, religion, or sexual orientation. And, to ensure that you don't rely on prohibited information for hiring decisions, you're better off not knowing it in the first place.

Zaller and Van Vleck also urge you to check your own state's laws regarding candidate information searches. New York and California laws, the attorneys point out, specifically bar employers from responding in any way to employees' off-duty conduct. But other complaints might be brought for public policy violations, such as state common law privacy provisions, especially that of "intrusion upon seclusion." In theory, people who create personal web pages or profiles on social networking sites should know that the information they post is public, so they can't claim a 'reasonable expectation of privacy' regarding that information. But suppose it's fairly deeply buried in a Facebook user's profile, and you access it because you've learned your way around the site. The candidate might succeed with a claim of intrusion upon seclusion.

Here are two instructive cases. Zaller and Van Vleck admit that there haven't yet been any court cases involving personal information obtained from websites, but they're convinced it won't be long before one comes up. They do point to two recent cases involving privacy that illustrate some of the risks. One suit was brought in 1999 by a group of current and former K-Mart distribution center employees. Management had hired two private investigators to pose as employees and monitor operations for theft, drug use, and safety violations. But the investigators gathered a load of personal information about center employees, including their marital problems, sexual exploits, and future career intentions--and shared it all with K-Mart management. The employees charged intrusion upon their seclusion and convinced a state appeals court they had a case.

The other incident also involved an investigation. You may remember that Hewlett-Packard (HP) directors believed someone on the board was leaking proprietary information to the news media and determined to identify the leaker. In the process, however, investigators contacted telephone companies, posing as the individuals being investigated, and obtained copies of those people's personal call records. They found the leaker, all right, but they also got HP into massive trouble, which led to a criminal charge from California's attorney general and the resignations of three HP senior managers.

These cases featured impersonation, which Zaller and Van Vleck say is a no-no for HR: If you must use a false identity, don't do the search. And pretense raises another point: Don't believe everything you read about someone on a networking site, because impersonators can be out there posting false information about other people. If you conduct searches yourself, they are not covered by the federal Fair Credit Reporting Act--but it's a good idea to warn candidates and employees that you have the right to search what individuals post on the web about themselves. Should you do such searches? Yes, say Zaller and Van Vleck: If you don't check negative information that is publicly available about an individual, hire him or her, and the person later harms someone at your workplace, you could be liable for negligent hiring.