By: Daniele E. Herndon and John J. Matteo
Client Alert: New Maryland Law Bans Employer Access to Employee's Personal Social Media, Email Accounts
On May 2, 2012, Maryland became the first state in the nation to ban employers from requesting usernames and passwords for the personal email and social media accounts of current employees and applicants.
An employee of the state's Department of Corrections contacted the American Civil Liberties Union after being asked for his Facebook password in connection with a job recertification process, and it was not long before the issue "went viral," spawning a swell of media coverage, public outcry, and legislation.
WHAT does the Maryland Law restrict?
The Maryland User Name and Password Privacy Protection Act (SB 433/HB 964), prohibits an employer from requesting or requiring "that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service" such as Facebook, LinkedIn, Twitter, Tumblr, or Gmail.
Employers may not "discharge, discipline, or otherwise penalize" employees for refusing to disclose their usernames and passwords for any accounts accessed through a computer, telephone, or other electronic communications device. Further, employers may not forgo hiring an applicant because he or she refuses to provide such information.
It is important to note, however, that the new law only restricts employers' access to employees' and applicants' personal accounts; employers may require employees to provide their usernames and passwords for any work-related accounts.
Further, the new law makes it illegal for an employee to download unauthorized employer proprietary information or financial data to an employee's personal web site, an internet web site, a web–based account, or a similar account.
WHO is affected?
All employers engaged in "a business, an industry, a profession, a trade, or other enterprise" in the state of Maryland, as well as state and local governments, must comply with the law.
WHEN does the law take effect?
The Maryland User Name and Password Privacy Protection Act takes effect October 1, 2012.
WHERE are personal accounts protected?
While Maryland is the first state to enact a law concerning employees' social media privacy, similar legislation is pending in at least 12 other states1. United States Representatives Eliot Engel (D-N.Y.) and Jan Schakowsky (D-Ill.), introduced a federal bill (H.R. 5050) on April 27. Following suit, on May 9 Senate Democrats Richard Blumenthal (D-Conn.), Chuck Schumer (D-N.Y.), Ron Wyden (D-Ore.), Jeanne Shaheen (D-N.H.), and Amy Klobuchar (D-Minn.) introduced the Password Protection Act Of 2012 (PDF).
WHY should employers be mindful of the new law?
While the Maryland law does not set forth express penalties for employers who ask employees and applicants for their social media usernames and passwords, there are a number of other reasons why employers should avoid this practice. For example, an employer could face exposure to discrimination claims if the employer discovers from an applicant's social media site or personal email that the applicant is a member of protected class and then chooses not to hire the applicant. Also, by accessing an employee or applicant's social media account, an employer may assume liability for the protection of or duty to report the information they have seen.
Further, it is a violation of Facebook's Statement of Rights and Responsibilities to share or solicit a Facebook password. In a recent statement to users, Facebook's Chief Privacy Officer, Erin Egan, said:
As a user, you shouldn't be forced to share your private information and communications just to get a job. And as the friend of a user, you shouldn't have to worry that your private information or communications will be revealed to someone you don't know and didn't intend to share with just because that user is looking for a job. "
Protecting Your Passwords and Your Privacy," Facebook, March 23, 2012.
Courts in a number of jurisdictions have found employers liable under the federal Stored Communications Act for similar transgressions. For example, in Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009), the U.S. District Court for the District of New Jersey upheld a jury verdict finding an employer liable under the federal Stored Communications Act for accessing employees' social media websites and viewing posts that were critical of management. In Pietrylo, the jury found that the employer had knowingly or intentionally accessed an invitation-only chat group and members' accounts and passwords on MySpace.com without authorization. The employer's actions, however, did not constitute and invasion of the plaintiffs' common law right of privacy. Likewise, In Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (2002), the U.S. Court of Appeals for the Ninth Circuit held that an employee had a right to sue when his employer accessed his secure website that contained criticisms of management.
How can employers use social media in making hiring decisions?
Employers can use social media to evaluate current and potential employees' Online conduct without infringing on employee privacy or being accused of making employment decisions based on a protected classification. It is important for employers to have a well-drafted social media policies and effective enforcement.
Please feel free to circulate this news alert to others in the industry, both within and outside your office.