Given the significant number of states that now prohibit employers from requiring employees or applicants to divulge user names and passwords for their personal social media accounts, employers may find themselves facing a difficult dilemma.
How best, on the one hand, to protect their business’ confidential information and trade secrets and, on the other, not to invade the privacy of employees?
Part 1 of this two part blog series reviews what led to the 2012/2013 state legislative activity and summarizes some of the new laws. Part 2 will look at proposals that were considered in some states and Congress, and will offer suggestions as to how employers may wish to respond to this new reality.
The first law in the nation to prohibit employers from seeking the user name and password of an employee’s social media account was passed in Maryland in 2012. What led to the Maryland act was a situation where the Corrections Division of the Maryland Department of Public Safety and Correctional Services (DPS) promulgated a blanket requirement that all existing employees and applicants provide their social media user names and passwords. A particular correctional officer was required to provide his Facebook user name and password during a recertification process and a supervisor read his personal posts. The officer considered this as a humiliating experience and contacted the ACLU, which filed a lawsuit on his behalf raising the question about the privacy concerns not only for the employee but also his friends with whom he shared content.
Since then, 35 other states have either passed some form of social media legislation or considered doing so. (See for 2013 activity: http://www.ncsl.org/issues-research/telecom/employer-access-to-social-media-passwords-2013.aspx; for 2012 activity, see http://www.ncsl.org/issues-research/telecom/employer-access-to-social-media-passwords.aspx). Twelve states passed legislation, in varying degrees, dealing with access to employee social media. Several states expanded the prohibition to apply to educational institutions, so that students and prospective students are now covered.
With respect to the activity in those states where bills were introduced during their 2012 or 2013 legislative sessions, some were never reported out of committee, others were not passed and others simply died once the state’s legislative session ended. Several states passed laws in 2012, but attempts to expand the coverage in 2013 failed.
Among existing state laws, coverage varies. For example, Maryland’s law is fairly basic. While laws subsequently enacted include detailed enforcement mechanisms and/or impose specific monetary penalties. Generally, these laws/ provide that:
- Employers are prohibited from requiring the disclosure from employees or applicants of the user names and passwords for personal social media accounts.
- Employees are specifically prohibited from downloading to their personal accounts any of their employer’s proprietary or financial information.
- To insure compliance with financial, security and regulatory compliance, and to protect proprietary information, employers are authorized to investigate an employee’s use of a personal account if the employer has information of unauthorized downloads.
Some states go beyond the basics; for example, Colorado’s law incorporates a detailed enforcement mechanism. It requires an employee or applicant who thinks him/herself injured to file a complaint with the State Department of Labor (“CDOL”), which will then investigate, hold a hearing and issue findings. CDOL can then fine the employer up to $1,000 for a first offense and up to $5,000 for subsequent offenses.
Interestingly, Colorado’s law appears more balanced than Maryland’s. In addition to allowing an employer to investigate unauthorized downloads of its proprietary information, an employer can require disclosure of an employee’s user name and password when an employer account is involved or is an account that accesses the employer’s systems. Furthermore, the CDOL enforcement mechanism can be applied against an employee who acted in violation of the specific prohibitions noted in the Colorado Act. And, from a pragmatic perspective, perhaps most importantly, the Colorado legislature actually appropriated some funds to CDOL to cover activity related to the implementation of the Act.
Washington State’s act allows an aggrieved employee or applicant to pursue a civil action and, if the employee prevails, he/she can seek injunctive relief, monetary damages, a penalty of $500 and attorneys’ fees. However, if the court decides that an action was frivolous, then the judge can award the employer its expenses and attorney fees.
Because of a lack of consistency among states, an employer engaged in interstate commerce can find itself facing a real dilemma. Part 2 will offer suggestions on ways to ameliorate the situation.