Lawmakers Defending Password-Protected Employee Accounts: Employers Need To Proceed Smartly

"Mortified" is the reported reaction of Robert Collins, a former corrections officer with the Maryland Department of Corrections (DOC), when DOC requested his Facebook username and password about a year ago. After Collins gave that information to a DOC interviewer in connection with its "recertification" process, the interviewer logged on to his account and reviewed the content, including posts of Collins' family and friends.

The term "mortified" may well describe the reaction of lawmakers, as well, because protective legislation recently passed in Maryland, is pending in at least 10 other states, and just surfaced in the U.S. Congress. Meanwhile, Facebook has warned its users that "you should never have to share your password,"1 and LinkedIn has been alive with questions such as "Could employers in the UK demand your Fbook password?"2 Worldwide, employers should proceed with caution.

Maryland's New Law

In Maryland, the General Assembly passed the User Name and Password Privacy Protection Act (SB 433/HB 964) (the "Maryland Law") in April 2012. That legislation will take effect October 1st provided Maryland's Governor Martin O'Malley signs it, as expected this month. The Maryland Law prohibits an employer from requesting or requiring "that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service" such as Facebook, LinkedIn, or Twitter.

Specifically, employers doing business in Maryland (including units of state or local government) may not "discharge, discipline, or otherwise penalize" employees for refusing to disclose their personal information for an account accessed through a computer, telephone, or other electronic communications device. Nor may employers make hiring decisions on the basis of such a refusal. Threats of punitive action would also violate the Maryland Law.

Employers in Maryland may nevertheless require that an employee disclose "any user name, password or other means for accessing . . . the employer's internal computer or information systems." Furthermore, the Maryland Law allows an employer to access an employee's personal electronic accounts for the limited purposes of investigating information that the employer received about –

the employee's unauthorized downloading of the employer's proprietary or financial data to the employee's personal website, web-based account, or similar account; or the employee's personal use of a personal website, web-based account...