We have all seen stories about how social media accounts are treasure troves of information. In past years, legal experts have discussed the issue of whether employers should view social media information of prospective employees. Some employers are tempted by the amount of information available on these services to vet employees and obtain a much more candid view of what makes job applicants tick. Now, however, people are using privacy controls to limit the amount of information on their social networks that a stranger can see.
Some employers have friended job applicants to try to see more private areas of their accounts. In addition, however, some employers are taking the next step and asking job applicants to provide user name and password login information to see the most private information for themselves. Others want the applicant to log in at an interview so that they can “shoulder surf” and review what the information looks like.
Not surprisingly, these practices are generating significant media attention. For instance, I recently heard a story on National Public Radio about Robert Collins, who was reapplying for his old job as a corrections officer with the Maryland Department of Public Safety and Correctional Services. The interviewer asked him for his Facebook user name and password.[1]
The media attention reflects a large groundswell of outrage at these practices. Job applicants are saying they feel violated. Even Facebook is publicly stating in the news, as of this morning, that it is considering filing suits against employers that are seeking job applicants’ login information.
As a result, legislators are taking notice and starting to take action. Legislators in four states have introduced bills to protect the privacy of social media accounts. In specific, legislators in Illinois, Maryland, New Jersey, and California either have or are about to introduce legislation barring employers from demanding social media logon information from job candidates in order to review their social media accounts. The stories about the legislation mention that employers have, in particular, demanded that job candidates hand over their Facebook user names and passwords during job interviews. The bills bar employers from demanding social media logon credentials from job-seekers in order to protect the privacy of their accounts.
As of the date of this article (March 24, 2012), legislators are about to introduce bills in New Jersey and California. Illinois is considering HB 3782, which was introduced last May, but was sent to committee in February 2012. News stories report that the sponsors of the legislation are planning to amend the bill. Click here for a copy of HB 3782.
Maryland’s bill, HB 364, was introduced in January 2012. One hearing was held, and another cancelled. It appears that the House Appropriations Committee is handling the bill. Click here for a copy of HB 364.
The Illinois and Maryland bills are different in scope. The Illinois bill bars employers from asking “any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking site.” HB 3782. “Social networking site” means “an internet-based service that allows individuals to: (1) construct a public or semi-public profile within a bounded systems created by the service; (2) create a list of other users with whom they share a connection within the system; and (3) view and navigate their list of connections and those made by others within the system.” Social networking sites do not include email sites.
The Illinois bill has an important limit, though. The bill states that it does not “limit an employer’s right to promulgate and maintain lawful workplace policies governing the use of the employer’s electronic equipment, including policies regarding internet use, social networking site use, and electronic mail use.” The idea of the exception was to balance the bill's employee protections with protections of employers’ reasonable security and acceptable use policies governing the use of their own equipment.
Some opponents of the bill, however, state that the exception in scope in this carve-out threatens to swallow the bill’s protections of employees. For instance, an employer might have a policy that says if you are going to use our equipment, and you must, you will need to give us your Facebook user name and password. The plain language of the exception seems to permit such a policy. The bill’s sponsors are attempting to adjust the language to remove this apparent loophole.
The Maryland bill is similar to the Illinois bill in that it says employers may not “require an employee or applicant for employment to disclose any user name, password, or other means for accessing any Internet site or electronic account through an electronic device.” HB 364. In addition, however, the bill has an anti-spyware provision. It states that an employer may not “require an employee to install on the employee’s personal electronic device software that monitors or tracks the content of the electronic device.” Id. The Illinois bill has no similar provision.
The Maryland bill also prohibits an employer from failing or refusing to hire an employment applicant because of an applicant’s refusal to disclose login information or permit spyware to be installed on a personal device. In addition, the bill protects existing employees in that it bars employers from discharging, disciplining, or otherwise penalizing an employee for refusing to disclose login information or to permit spyware on personal devices. See id.
The Maryland bill, however, has a carve out for login credentials for the employer’s own systems. “An employer may require an employee to disclose any user name, password, or other means that provide access to the employer’s internal computer or information systems.” Id. Although it could be clearer, this language presumably covers both an employer’s networks as well as its devices, such as an employer-provisioned computer.
Because of the growing outrage in the public, momentum is starting to build for legislation. I am guessing that at least some of the legislation being introduced around the time of this article will eventually become law. U.S. Senator Richard Blumenthal is also announcing that he may introduce a similar bill in the U.S. Senate, so I would not be surprised by a federal bill as well.
Here are my thoughts about the language of the bills. First, I share the observation that the Illinois bill has a loophole creating the employer policy exception that may swallow the prohibition against demanding login information. The Maryland approach of specifically stating that the employer can demand (and presumably provision) passwords for its own equipment seems to be the better approach.
Second, it is interesting that the Maryland bill may preclude one of the hottest trends among enterprises, which is a “bring your own device” (BYOD) policy. BYOD policies generated a lot of buzz at the recent 2012 RSA Conference. Enterprises are increasingly turning to BYOD policies for having employees obtain devices of their choice that they want to use for their work. The idea behind BYOD is to permit employees the flexibility of picking their favorite device, since they may find certain brands more useful or efficient than others for their personal work styles. Moreover, some employers are requiring their employees to pay for some or all of the cost of the device, thus saving money.
Successful BYOD policies, however, require employers to retain some control over devices attaching to their networks. For instance, employers do not want to permit malware-infected devices to spread malware through the network. As a result, some employers require employees to use security software within devices as a condition of their use under a BYOD policy.
The Maryland bill’s prohibition against software that “monitors or tracks the content of the electronic device” is broad enough to apply to such software. Even anti-virus detection software both monitors a computer and reviews its content for signatures of malware. Thus, although the Maryland bill seems to be aimed at spyware, such as keystroke loggers, it arguably also sweeps in legitimate software that employers will need to carry out successful BYOD policies.
Finally, I am telling my clients not to ask for social media login information. Doing so threatens to cause the user to violate social media services’ terms of service and may trigger a suit, at least in the case of Facebook. Job applicants or employees may use such practices as the basis for a privacy tort claim. Moreover, if an employer reviews social media information in an inconsistent way, the employer may be opening itself up to claims of discrimination. Asking for login information just doesn’t seem worth it.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP
http://www.ckwlaw.com/Information-Security-and-Privacy-Law-Resources/
[1] You can hear the story by searching on NPR’s website npr.org.