Recently the legality of requiring prospective hires to hand over social networking usernames and passwords received national attention when New York Sen. Charles Schumer and Connecticut Sen. Richard Blumenthal asked the U.S. Department of Justice to investigate whether the practice violates federal laws. Although federal legislation has yet to be passed, state legislatures have begun to address the issue.

This month, Maryland will become the first state to pass a law on the practice. Two identical bills, S.B. 433 and H.B. 964, were passed by the State legislature on Monday, and are now headed to Governor Martin O’Malley, who is likely to sign the legislation into law. Under this legislation, which will take effect on October 1, 2012, employers and their agents or representatives are prohibited from requiring workers and job applicants to “disclose any user name, password, or other means for accessing a personal account or service” electronically. In addition, employers are prohibited from refusing to hire an applicant for not providing access to such information. Similarly, employers are not permitted to terminate or discipline an employee for refusing to provide such information. 

In addition to protecting the privacy of current and prospective employees, the Maryland law also provides employers with some protections as well. Under the terms of the law, employees are prohibited from downloading “unauthorized employer proprietary information or financial data” to personal accounts or to websites, and employers are permitted to investigate upon hearing of such activity. Such investigations are intended to ensure “compliance with applicable securities or financial law or regulatory requirements.”   Additionally, employers are permitted to require employees to provide passwords and login information for non-personal accounts that are part of the employer’s own systems, such as company e-mail accounts. Please find our management alert on this new law.

Similar legislation has been filed or is under consideration in other states, including California, Illinois, and New Jersey. In New Jersey, Assemblyman John Burzichelli recently proposed legislation, stating that the practice of handing over usernames and passwords is “no different than asking someone to turn over a key to their house. Demanding this information is akin to coercion when it might mean the difference between landing a job and not being able to put food on the table for your family.”

In Illinois, State Representative LaShawn Ford proposed House Bill 3782, which would prevent employers from requesting any employee or prospective employee to provide a password or account name for a social networking site. The Illinois state Senate will vote on the bill in the next couple of weeks. Assuming the bill passes in the Senate, it will move to a full House vote.   According to Ford, the bill will help prospective employees, “afraid to speak up because they don’t want to prevent themselves from receiving employment, and it protects employers from facing future lawsuits,” which in turn saves taxpayers money.

The increasing state and federal regulation of this practice suggests a growing trend in protecting the privacy of individual employees.   However, some employers are getting around this legislation through the use of third party applications, such as BeKnown or BranchOut, which can be used to provide limited access personal profiles if a job seeker allows it. Often, a prospective employee will be asked to check a box in the job application allowing the use of such third party software. Lori Andrews, an internet privacy law professor at Chicago-Kent College of Law, worries about the pressure placed on applicants, even those who voluntarily provide access to social networking websites. According to Andrews, “Volunteering is coercion if you need a job.”

Some states, such as California, have taken viewpoints like Andrews’ into account in proposing legislation. California Senator Leland Yee (D-San Francisco/San Mateo) recently introduced legislation designed to prevent employers from requesting employees or job applicants provide their social media usernames and passwords, and prohibit employees from voluntarily sharing such information. According to Yee, “It is completely unacceptable for an employer to invade someone’s personal social media accounts. Not only is it entirely unnecessary, it is an invasion of privacy and unrelated to one’s work performance or abilities.”  The Senate Committee on Education recently approved the legislation authored by Senator Yee.

The debate over the amount of privacy interest prospective employees and existing employees are entitled to with respect to social networking is far from over, and we will continue to provide updates in this important area.