The Law and Business of Social Media
May 29, 2012 - Privacy, Employment Law

Maryland Enacts First Law Prohibiting Employers From Requesting Passwords to Employees’ Online Personal Accounts

In our recent Socially Aware blog post, we noted that a number of pending state bills are seeking to ban employers from requesting confidential login information, including social media login information, as a condition of employment.  In fact, on April 9, 2012, Maryland passed Senate Bill 433/HB 964, prohibiting employers from requesting current and prospective employees’ passwords to online personal accounts, such as Facebook, Twitter, LinkedIn, and personal email accounts.  The new statute, which goes into effect on October 1, 2012, applies to “employers” – broadly defined as any person engaged in a business, industry, profession, trade, or other enterprise in Maryland, as well as units of Maryland state and local government – and their respective representatives and designees, and even employers that are based outside Maryland but that have employees located in Maryland will need to comply with the statute.

When it goes into effect, Maryland’s new law will prohibit covered employers from:

  • Requesting or requiring an employee or applicant to disclose his or her user name, password, or any other means of accessing a personal account or service through computers, telephones, PDAs, and similar devices;
  • Taking disciplinary action against employees for their refusal to disclose certain password and related information; and
  • Threatening to take disciplinary action against employees for their refusal to disclose such information.

However, employers are not entirely prohibited from accessing employees’ personal accounts.  Under certain circumstances, Maryland’s new law will allow employers to access employees’ personal accounts in order to investigate the following (in each case, only if the employer has received information regarding such conduct):

  • Whether an employee is complying with securities or financial laws or regulatory requirements, if the employee is using a personal website, Internet website, web-based account or similar account for business purposes; or
  • An employee’s actions regarding his or her downloading of the employer’s proprietary information or financial data to a personal website, Internet website or web-based account.

The Maryland bill gained support after a resident of the state, Robert Collins, made headlines when he was asked to disclose his Facebook password to be recertified as a correctional officer with the Maryland Department of Public Safety and Correctional Services. Reportedly, the department had a practice of reviewing applicants’ social media profiles to ensure that they were not engaged in any illegal activities and, believing he had no other option, Collins disclosed his Facebook username and password to his interviewer for the correctional officer position.

The Maryland statute is an illustration of the growing opposition to requiring current or potential employees to disclose their personal account passwords.  Similar incidents of employers requesting access to their current and prospective employees’ accounts have surfaced around the United States, with some employers taking disciplinary action for employees’ refusal to disclose password information.  As a result, Facebook, as well as privacy advocates, have publicly opposed the growing practice of employers requesting access to employees’ social media profiles.  U.S. Senators Richard Blumenthal and Charles Schumer have also sent letters to both the U.S. Department of Justice, asking it to investigate whether this practice violates the Stored Communication Act or the Computer Fraud and Abuse Act, and the U.S. Equal Employment Opportunity Commission, asking that agency to opine whether the practice violates existing anti-discrimination laws.

In parallel with this widespread opposition, other states may be following Maryland’s lead by enacting legislation that clarifies employees’ expectation of privacy in their online profiles.  As noted previously, bills similar to the Maryland statute have been introduced in California, Illinois, Massachusetts, Michigan, Minnesota, New Jersey, and Washington.  Moreover, federal law may soon prohibit employers from requesting employees’ social media passwords.  On April 27, 2012, Congressman Eliot Engel (D-NY) proposed H.R. 5050, the Social Networking Online Protection Act, or “SNOPA,” in the United States House of Representatives.  If passed, this bill would impose a nationwide ban on the practice of employers requiring or requesting access to their employees’ online personal accounts.  Like the newMaryland law, H.R. 5050 broadly defines employers who are covered under the law – for purposes of the bill, “employer” includes “any person acting directly or indirectly in the interest of an employer in relation to an employee or an applicant for employment.”  The House bill, which prohibits institutions of higher learning and local educational agencies from requesting the passwords of students or prospective students, is even broader in scope than the new Maryland law.

Shortly after H.R. 5050 was introduced, on May 9, 2012, Senators Richard Blumenthal (D-CT), Chuck Schumer (D-NY), Ron Wyden (D-OR), Jeanne Shaheen (D-NH), and Amy Klobuchar (D-MN) introduced the Password Protection Act of 2012  (S.B. S. 3074) (“PPA”) in the Senate, and Congressmen Heinrich (D-NM) and Perlmutter (D-CO) introduced a parallel bill in the House. The PPA would amend the Computer Fraud and Abuse Act and prohibit employers from requiring or requesting access to employees’ online personal accounts or password-protected computers, provided that such computers are not the employer’s computers.  The PPA would also prohibit employers from taking adverse actions against employees for refusing to disclose such passwords and, under the PPA, employees would be eligible to receive compensatory damages and injunctive relief if their employers were found to have violated the Act.

Even in the absence of statutory authority prohibiting employers from requesting access to current and future employees’ social media profiles, employers should exercise caution when seeking access to employees’ or prospective employees’ social media accounts.  For example, although a job applicant’s social media profile may be publicly available, when viewing the applicant’s profile, a potential employer may learn information that would otherwise remain undisclosed in the application process, such as an applicant’s membership in a protected class (we noted this issue with respect to current employees’ social media profiles back in November 2011). Employers can minimize their exposure to claims of discriminatory hiring practices by refraining from viewing applicants’ online profiles during the application process.  For this and other reasons, employers – whether in Maryland or elsewhere – are urged to carefully consider potential legal risks when instituting policies related to accessing their current and prospective employees’ online personal accounts.