With multiple cases of employers asking for passwords to employees' (or potential employees) social media accounts making the headlines, and one case where an employer took over an employee's LinkedIn account after firing her, it is becoming clear that existing law is not sufficient to protect employees from this intrusive behavior.
Some states are not taking this behavior lying down.
California Passes AB 1844 Employer Use of Social Media
California recently passed AB 1844 Employer Use of Social Media, which would "prohibit an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media." It further prohibits an employer from "discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions."
The California law goes into effect January 1, 2013.
A New Trend?
According to the National Conference of State Legislatures, both Illinois and Maryland have also passed similar laws.
The Illinois law, signed by the governor on August 1, 2012, provides that it "shall be unlawful for any employer to ask any prospective employee to provide any username, password, or other related account information in order to gain access to a social networking website where that prospective employee maintains an account or profile."
The Maryland law, signed by the governor on May 2, 2012, "prohibits an employer from requesting or requiring that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through specified electronic communications devices."
As the National Conference of State Legislatures reports, there are 11 other states with pending legislation that would also prohibit employers from asking for employees' social media passwords. The states include: Delaware, Massachusetts, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, Pennsylvania, South Carolina, and Washington.
The federal government is getting in on the action as well. There are three bills currently pending. The Password Protection Act of 2012, H.R. 5684, sponsored by Rep. Martin Heinrich (D-NM), would prohibit employers from compelling or coercing any person to authorize access to a protected computer, and for other purposes, and actually subjects employers to a criminal fine for violation of the statute. The bill was introduced and referred to committee on May 9, 2012. Senator Richard Blumenthal sponsored a companion bill, S. 3074, also entitled The Password Protection Act of 2012, in the Senate. The Senate bill was also introduced and referred to committee on May 9, 2012.
The Social Networking Online Protection Act, H.R. 5050, would prohibit employers asking for requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website. Sponsored by Rep. Eliot Engel (D-NY), this bill also provides for civil penalties, authority of the Secretary of Labor to bring injunctive actions, and jurisdiction of the courts to provide legal or equitable relief. The House bill was introduced and referred to committee on April 27, 2012.
One commentator raises concerns with how broadly social media is being defined and how it may be difficult to discern what accounts are personal and what accounts are business-related.
As the LinkedIn account case, Eagle v. Morgan, demonstrates, there may be significant grey area when it comes to defining what the purpose of a particular account is. In that case, the plaintiff maintained a LinkedIn account which her employer took over after she was fired. Importantly though, in that case, the plaintiff had given the employer access to her account by allowing an assistant to have her username and password, and having her assistant maintain the account. So this type of result may be avoidable, if employees keep their social media accounts separate from their business, and maintain control of the accounts themselves.