Everyday, things are getting more and more complicated out there for employers. As you may recall (indeed, how could you forget?), earlier this year the media shined a bright spotlight on a small number of employers (and I truly mean just a small few) who were reportedly asking for social media passwords from job seekers, or were asking applicants to allow them to “shoulder-surfing” during an interview. The media went crazy. Employees cried “Invasion of privacy!” Even Facebook’s Chief Privacy Officer, Erin Egan, issued a statement titled “Protecting Your Passwords and Your Privacy” that warned employers to not engage require passwords from applicants and employees. And, most everyone with any form of social media account declared that they “would never work for a company who demands that information.” Unfortunately for employers, the few employers who actually engaged in this practice are the bad apples threatening to spoil the entire apple cart.
In April, I highlighted the dangers of using social media in the hiring process. I explained why an employer’s practice of requiring login credentials from prospective employees is ill-advised (most notably because it can lead to claims of discrimination, among other legal issues, and because it can lower morale and lead to the loss of talented job applicants and employes). But with the media spotlight still burning on the outrage most people felt about giving up passwords to Facebook and other social media networks, lawmakers were quick to jump on the chance to sponsor new law. As each piece of proposed legislation is rushed out by state and federal lawmakers, and signed into law, employers, particularly multi-state employers, likely will face a complex web of new laws. A practice allowed in Maryland, may not be allowed in Illinois, and other states may create nuances of their own as well. I will not turn this post into an editorial piece, but suffice to say, it is my opinion that these new laws are making a mountain out of a molehill, and worse, are prohibiting legitimate business reasons why an employer may need to analyze its employee’s social media content.
The Floodgates Have Opened: On May, 2, 2012, Governor Martin O’Malley of Maryland approved Maryland Senate Bill 433, a Maryland law now known as “Labor and Employment – User Name and Password Privacy Protection and Exclusions Act.“ This new law becomes effective October 1, 2012. While Maryland was the first state, at least twelve (12) other state legislatures have introduced bills, and similar legislation have been introduced in both houses of the U.S. Congress.
Generally, Maryland’s new law restricts employers from seeking login credentials from applicants and employees. Specifically, an employer in Maryland may not:
(1) request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device;
(2) discharge, discipline, or otherwise penalize or threaten to discharge, discipline, or otherwise penalize an employee for an employee’s refusal to disclose any information specified in (1) above; and
(3) fail or refuse to hire any applicant as a result of the applicant’s refusal to disclose any information specified in (1) above.
Importantly, this means, under (1) above, that the law prevents an employer from seeking not just personal social media login credentials, but also other “personal account” credentials, ranging from things like e-mail account information, to ebay, to itunes, to bank accounts. This is overly broad, but hopefully, no employer is seeking these other forms of personal account credentials anyway.
The good news for Maryland employers is that the law attempts to protect employers to a small degree. Notably, the law prohibits an employee from downloading “unauthorized employer proprietary information or financial data to an employee’s personal web site, an internet web site, a web-based account, or a similar account.” Also, an employer may conduct “an investigation for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements” and an investigation as to whether the employee downloaded unauthorized proprietary information or financial data. These investigations, however, may only be “based on the receipt of information about the use of a personal web site, internet web site, web-based account, or similar account by an employee for business purposes. The bad news is that employers seem to be prohibited from gaining access to these accounts for other legitimate business reasons. For example, what happens if an employee posts on his personal Facebook page a status update like “I hate my manager; I want him to die,” or other offensive or discriminatory remarks and a co-worker reads such messages. If the co-worker reports such messages to the employer, the employer will be unable to access directly those comments that give rise to legitimate concerns of workplace violence, discrimination, and harassment. Instead, the employer can only hope that the co-worker prints out such messages and takes the initiative to report them.
Other State and Federal Laws On The Horizon: Illinois appears to be the next state close to passing a similar law. The Illinois law would amend the Illinois “Right to Privacy in the Workplace Act. The proposed law is now waiting for Governor Pat Quinn‘s action. A full analysis of the Illinois bill is beyond the scope of this post, but like the Maryland law, it prohibits an employer from “request[ing] or require[ing] any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website.” Additionally, employers would not be allowed to “demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website.”
The Illinois law, however, is even more problematic for employers than the Maryland version. Unlike the Maryland law, the Illinois bill does not have any exceptions to these prohibitions. None.
Other states are likely to pass their versions shortly, including California, Delaware, Massachusetts, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, South Carolina and Washington. And, both houses of the U.S. Congress introduced bills on this subject (Senate: Password Protection Act of 2012; House: Social Networking Online Protection Act). Each state and federal law/bill is different, prohibit different activities, and go beyond just limiting access to social media passwords (by prohibiting access to other personal accounts, emails, etc.). Moreover, some apply to employers, others apply to employers and universities, and some spell out specific fines/penalties, while others do not.
No matter which state enacts a law, or what happens with the U.S. Congress, employers are the victims of just a few ill-advised employers that engaged in a limited practice that fueled national news cycles. Requiring passwords to personal accounts has never been a good idea – and now, it is becoming illegal. Fortunately, most employers do not engage in that practice, and thus, are already compliant with that portion of any legislation prohibiting such conduct passed by any state or the federal government. Unfortunately, there are serious situations where employers have legitimate reasons to investigate an employee’s online social media activity, and most of these new laws are making it illegal, or at the very least, very difficult for employers to take appropriate action when private/confidential/trade secret and/or harassing, threatening and violent content is posted by an employee. Furthermore, multi-state employers will need to monitor the law of each state in which they have employees because each state law is bound to be different.
Indeed, what started as a molehill, has become a mountain, and employers are just beginning the climb towards this summit.
Information provided on this website is not legal advice, nor should you act on anything stated in this article without conferring with the Author or other legal counsel regarding your specific situation.