Although it may not be a widespread practice among employers, asking employees or job applicants to provide passwords or access rights to social media accounts (e.g. Facebook or Twitter) has gained national attention and has been widely criticized by advocacy groups and politicians. While members of Congress are evaluating ways to prohibit the practice, Maryland became the first state to enact legislation prohibiting employers from requesting or requiring an employee or applicant to disclose any user name, password or other means for accessing a personal account. The law also prohibits employers from taking or threatening disciplinary action or refusing to hire a job applicant for refusal to disclose such information. The new law becomes effective on October 1, 2012.
The issue began gaining attention in Maryland when the Maryland ACLU filed a complaint after correction officer job applicants were asked to give their Facebook user name and password to the Maryland Department of Public Safety and Correctional Services. While the stated purpose of the state agency’s practice was to check for gang affiliations, the agency rejected seven applicants based on the information it obtained and later decided to drop its requirement. The Maryland ACLU claimed the practice was illegal under the Stored Communications Act (SCA), which generally prohibits unauthorized access to electronic communications stored at an electronic communications service provider. Specifically, a violation of the SCA is committed by anyone who: “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided;” or “(2) intentionally exceeds an authorization to access that facility; and thereby obtains…[an] electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a)(1)-(2). If employees or applicants consent and authorize the employer to access their social media accounts (and it is still an open issue as to whether the SCA applies to stored content in social media), there would be no violation. Thus, the Maryland ACLU argued that a “forced authorization” was not a valid authorization under the SCA.
Other states are following in Maryland’s footsteps, with proposed similar legislation in Washington, California, Illinois, Michigan, New Jersey and New York. The Michigan proposal would impose both criminal and civil penalties if a violation occurs, with the criminal penalty constituting a misdemeanor, punishable by imprisonment for no more than 93 days, a fine of $1,000, or both. The New York bill would impose a civil penalty of $300 for the first violation and $500 for each subsequent violation. The California bill, which also would prohibit colleges and universities from requesting social media usernames and passwords from students, was approved by a California Senate committee on April 18.
Social media sites have also been vocal about their disdain for the controversial employment practice. On March 23, Facebook issued a statement on its blog: “If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends. We have worked really hard at Facebook to give you the tools to control who sees your information.” The Facebook Terms of Service prohibit users from soliciting login information, accessing accounts belonging to someone else, sharing passwords or otherwise jeopardizing the security of their accounts.
Though Maryland is the only state to have enacted a law addressing this issue, employers across the board should be wary of requesting applicant and employee social media credentials. Information gained from employee social media sites, such as race, sex, age, disability, sexual orientation, religion or national origin, may put employers in a more precarious position and increase the risk of liability associated with making hiring, firing or promotional decisions.