States Crack Down on Employers Demanding PasswordsBy Samuel Greengard | Posted 2013-01-08 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Five states have enacted password protection laws that prohibit employers from asking candidates for their social media and email passwords.
By Samuel Greengard
Last year, a major controversy emerged after several media outlets, including the Associated Press and NBC News, reported that a growing number of employers were forcing job applicants to hand over their Facebook, Twitter and other social media passwords so that organizations could peruse their accounts and review what they posted before hiring them. In many cases, candidates who refused were automatically rejected.
A number of private employers and government agencies claimed that asking for passwords and reviewing personal information was legal. However, beginning January 1, five states—California, Delaware, Illinois, Maryland and New Jersey—banned the practice. Nora Campos, a state assemblywoman who authored the California bill, told UPI.com, "The legislation is necessary because there is a hole in existing law that prevents employers from intruding into an employee's legal off-duty conduct."
The Maryland law is narrower in scope. It limits direct requests for log-in credentials with the exception of employers accessing an employee's social media account for suspected securities fraud or for misappropriation of trade secrets. The Illinois prohibition bars employers from accessing social media accounts in any manner, while California's law also applies protections in a broader manner. In addition to sites such as Facebook and Twitter, it covers a broad swath of content, including videos, photos, blogs, podcasts, text messages, email and Website profiles and locations.
"The laws are significant because they can significantly impede an employer's ability to investigate misconduct in social media," says Philip Gordon, shareholder at the employment and labor law firm Littler Mendelson in Denver and chair of the firm's Privacy and Data Protection Practice Group. He notes that neither Maryland's nor California's law provides the basis for a private claim against an employer. Michigan's law caps damages at $1,000. The Illinois law has no cap on damages recoverable thought a civil claim.
Meanwhile, at the federal level, an attempt to enact a password protection law failed. The Password Protection Act of 2012 (HR 5684) died in committee in the Republican-controlled House of Representatives.
However, that doesn't mean that employers in other states are free to peruse social media accounts without risk. Employers could face claims under the Federal Stored Communications Act, Gordon says. For example, in 2006, two former employees of Houston's Restaurants prevailed in a lawsuit against the employer for forcing them to log into a personal MySpace account.
"Employers generally should avoid efforts to bypass passwords or use them without consent," Gordon says. This includes sending friend requests to applicants or asking them to log on from a computer residing at the organization's offices. It also means eschewing "remember me" features and stored log-in credentials on company-owned systems, as well as keystroke loggers.
Finally, he adds, "Even when an employer has an employee's consent to access a password-protected account, the employer should document the voluntary nature of the consent to avoid the result in the Houston's restaurant case."
Similar bills limiting the right of employers to check personal accounts are pending in a dozen other states. Of course, employees can continue to view unblocked accounts and use screening tools, including background checks and behavioral interviewing techniques that focus on how a person reacts given a specific situation or circumstances.
Some companies also rely on third-party applications and sites that scrape data from social media services. This includes Monster's BeKnown and BranchOut.