May 31, 2012

New Laws May Restrict Employers from Requesting Social Media Account Log-Ins

Maryland recently became the first state to expressly prohibit an employer from requesting or requiring that an employee or job applicant disclose personal social media account log-in information. The law was enacted after media reports revealed that the Maryland Department of Corrections asked job applicants to hand over their Facebook usernames and passwords. Several other states have introduced similar legislation, and representatives from New York and Illinois introduced federal legislation to prohibit potential employers and schools from requiring access to individuals’ private social media accounts.

Maryland’s User Name and Password Privacy and Exclusion Law

The User Name and Password Privacy and Exclusion bill passed both the Maryland House and Senate by wide margins and was signed into law on May 2. It will take effect on October 1. The law prohibits employers who do business in the state of Maryland from requesting a user name, password or any other means of accessing a personal account or service through an electronic communications device, including social media accounts. It also prohibits employers from penalizing or threatening an employee or job applicant if the employee refuses to disclose this information.

The law also appears to prohibit employer monitoring of password-protected online accounts by requiring an employee to log in to the account so that the employer may see the content, asking for printouts of account content or requiring that the employee “friend” another employee or allow the employer to “follow” the employee.

To protect employers, the law prohibits employees from downloading financial or proprietary information of the employer to a personal account without authorization and allows an employer to investigate reports that an employee is using a personal account for these or other business purposes. The law does not, however, provide guidance on how such an investigation may be carried out. Furthermore, an employer may require an employee to disclose the means to access a nonpersonal account or service that provides access to the employer’s internal computer or information systems

Other State Laws

Although Maryland is the first state to pass a law explicitly banning employers from collecting log-in information for employees’ password-protected accounts, similar measures are pending in California, Delaware, Illinois, Massachusetts, Michigan, Minnesota, South Carolina and Washington. Illinois is closest to enacting legislation with its Right to Privacy in the Workplace Act which prohibits an employer from demanding, in any way, access to an employee or prospective employee’s social networking account or profile. The bill passed the Illinois Legislature overwhelmingly and requires only the governor’s signature to become law.

Social Networking Online Protection Act and Other Federal Developments

Although it is not clear how many employers have been seeking personal online account credentials, concerns over the practice have garnered national attention as well. On April 27, Representatives Eliot Engel (D-NY) and Jan Schakowsky (D-IL) introduced the Social Networking Online Protection Act  (“SNOPA”) which calls for federal legislation to prevent employers and schools from requiring access to online content on any social networking website. If passed, the legislation would make it unlawful for any employer:
  • to require or request an employee or job applicant to provide the employer with a user name, password or any other means for accessing a private email account of the employee or applicant or the personal account of the employee or applicant on any social networking website; or
  • to discharge, discipline or deny employment or promotion to, any employee or job applicant if he or she refuses to provide such information or files a complaint under SNOPA or testifies in a proceeding regarding SNOPA.
These constraints would also apply to schools from kindergarten through university level and the bill allows for civil remedies of up to $10,000.

The federal bill follows requests in late March by U.S. Senators Chuck Schumer (D-NY) and Richard Blumenthal (D-CT) for the Justice Department and the Equal Opportunity Commission to investigate whether requesting social media log-in credentials during job interviews violates federal law, specifically the Stored Communications Act (“SCA”) or the Computer Fraud and Abuse Act. The SCA prohibits access to electronic communication without user authorization and recent case law suggests that an employer may violate the SCA by requesting and receiving password information from an employee who feels coerced into providing that information.

Implications for Employers

Consumers seem particularly troubled by reports of employers requiring access to personal, password-protected online information, as shown by the recently adopted and introduced state and federal legislation and the many news articles about such practices. Before asking for account information, employers should be aware of state and federal legal developments. Asking for log-in credentials may also violate the terms of use of some services. Facebook, for example, prohibits both an employer and an employee from sharing personal account information or accessing an account belonging to another person, and doing so in violation of the terms may violate federal law.