by Phillip W. Pemberton and Lindsey A. Smith
Numerous states and the federal government are moving forward with legislation addressing employers’ access to employees’ and applicants’ social media accounts. Even if your state has yet to consider legislation prohibiting employers from accessing that type of data, the way other states have handled the issue may shape just how far employers can go when using social media as a source of information in making employment decisions.
An unfriendly request
Robert Collins worked as a corrections officer for the Maryland Department of Public Safety and Correctional Services. After taking a leave of absence for his mother’s death, he reapplied for his previous job. As part of the rehiring process, he underwent a security interview. During the interview, he was forced to provide his Facebook user name and password. The interviewer proceeded to review his personal messages, wall posts, and family photos.
Collins contacted his local American Civil Liberties Union (ACLU) office, which contacted the state corrections department. In response to the ACLU’s pressure, the department revised its policy and allowed applicants to “voluntarily participate” in the social media screening process. The revised voluntary policy didn’t go far enough for the ACLU, and it pursued a legislative change.
Maryland updates its status
In May, as a result of the Collins incident, Maryland became the first state to adopt legislation prohibiting an employer from requesting or requiring an employee or applicant to disclose his user name or password for personal Internet sites. The bill also prohibits employers from taking or threatening disciplinary action against an employee or applicant who refuses to disclose personal social media information.
The bill carves out several exceptions to the general prohibition against requiring disclosure. First, Maryland allows employers to gather login information for nonpersonal accounts to access an employer’s internal computer or information systems. Second, if an employer receives information that an employee is using a personal account for business purposes, it may conduct an investigation to comply with securities, financial, or regulatory law. Finally, Maryland allows an exception if an employee downloads, without authorization, an employer’s proprietary information or financial data to a personal website or account.
Illinois becomes a fan of privacy
In Illinois, local county sheriffs set off a media firestorm when they required applicants to “friend” the sheriff, allowing the sheriff’s office unfettered access to applicants’ private pages ― but that unpopular practice is about to be “unfriended.” On August 2, Illinois became the second state to pass social media legislation.
The recently enacted amendment to the Illinois Right to Privacy in the Workplace Act makes it unlawful for an employer to request a password or other account information to access an employee’s or a prospective employee’s social networking website. It’s worth noting that a previous version of the Act raised red flags for employers. The original Act contained almost no employer-friendly exceptions and prohibited employers from even accessing an employee’s social networking website. The legislation yields some relief, as the enacted version restricts employers only from asking for login information.
New Jersey atwitter about social media
New Jersey is one of the few states with any case law on employee and social media privacy. In Ehling v. Monmouth-Ocean Hospital Service Corporation, the employer asked an employee’s coworker, who was a Facebook friend with the employee, to access the employee’s private Facebook page. In a supervisor’s presence, the coworker accessed the page and allowed the supervisor to view and copy the employee’s Facebook posts.
The employee filed an invasion-of-privacy claim. The court refused to dismiss the claim, stating that “privacy in social networking is an emerging, but underdeveloped, area of case law.” 2012 WL 1949668 (D. N.J., 2012).
New Jersey legislators sought to develop this area of the law by proposing greater employee protection. Indeed, New Jersey’s proposed legislation goes further than both the Maryland and Illinois laws. New Jersey’s bill prohibits employers from asking a current or prospective employee if he has a personal account or profile on a social networking website.
The expansive New Jersey bill has yet to pass and is currently before the state Senate. The upside for New Jersey employers is that the bill, while broad, does provide some protection for employers. Under the current version, employers may implement and enforce policies addressing the use of employer-issued electronic communications devices.
Washington signs in
As in New Jersey, Washington is weighing in on the prohibition against employers requesting passwords and related social networking account information. Specifically, Washington’s proposed legislation prohibits an employer from demanding access in any manner to an employee’s or a prospective employee’s account or profile on a social networking website. The current version of the Washington bill appears to remove any distinction between requesting a password and gaining access to an employee’s account.
Does Congress ‘like’ social media policies?
Congress jumped on the social media policy bandwagon in early May when it introduced the Password Protection Act of 2012. Although the legislation remains in committee and hasn’t yet passed the House or Senate, you should be aware of the bill’s contents. Citing privacy and discrimination concerns associated with forced disclosure, the bill prohibits employers from requiring an employee to provide access to any information stored on a computer when the information isn’t owned or controlled by the employer. For example, under the current version of the bill, an employer couldn’t require an employee looking at Facebook on his work computer to disclose his password because doing so would allow the employer access to information controlled by Facebook administrators.
The measure also protects prospective employees by prohibiting employers from requiring disclosure as a condition of employment. Finally, the bill addresses retaliation and discrimination by prohibiting employers from taking an adverse action against an employee who refuses to disclose personal password information. If the bill passes, employers that violate the Password Protection Act could face financial penalties.
Employers should be aware of recent developments on both the state and federal levels. The common thread among the various versions of proposed legislation is that you cannot request or require the login information of employees or prospective employees. If your current practice includes requesting an employee’s or an applicant’s social media login information, you should consider a review of your policies ― especially if you have operations in Maryland, Illinois, New Jersey, or Washington.
Phillip Pemberton is a law student at the University of Kansas. This past summer, he worked as a summer associate at Foulston Siefkin. Lindsey Smith is an employment law attorney at Foulston Siefkin. She can be reached at 316-291-9591 or firstname.lastname@example.org.