There is a nascent legislative trend seeking to prohibit employers from asking applicants and employees for usernames and passwords to their social media networking sites. This is a reaction to stories of employers seeking access to personal social media sites to gather information that they then use to make employment decisions. In a process sometimes referred to as “cyber-screening,” employers have sought access to applicant passwords in order to vet potential candidates and obtain telling information about them. Employers also desire to know how employees are portraying the employer or its products or services, or what they may be communicating while on employer-owned computer systems.     

Congress is currently considering two related bills. In April, Reps. Eliot Engel and Jan Schakowsky introduced the Social Networking Online Protection Act, which would prohibit employers from requiring or asking an employee or applicant to provide a username, password or any other means of accessing a private email account or personal social media account, or from discharging, discriminating or threatening any employee or applicant who refuses to provide such information. The legislation also prohibits retaliation for exercising rights under the act. Moreover, the legislation applies to educational institutions and students. It provides for civil penalties, Department of Labor injunctive relief and a private right of action in the federal courts for damages and equitable relief.

In May, Sen. Richard Blumenthal and Rep. Martin Heinrich introduced the Password Protection Act of 2012 in the Senate and the House. The legislation similarly prohibits employers from requiring the disclosure of passwords from applicants and employees, although there are certain exceptions for government employees and employees working with children under 13 years of age. The bill has no chance of passing at this time, but has received support from the American Civil Liberties Union (ACLU) and other privacy advocates.

Similar legislation has been introduced in California, Illinois, Maryland, Michigan, Minnesota, Missouri, New York, South Carolina and Washington. However, it has taken effect only in Maryland and Illinois. In May, Maryland Governor Martin O’Malley signed the legislation into law, making it the first state to prohibit employers from requiring applicants and employees to disclose their passwords. The law takes effect on Oct. 1.

On Aug. 1, Illinois Governor Pat Quinn signed into law amendments to the Right to Privacy in the Workplace Act, which prohibit employers from discriminating against applicants and employees for off-duty use of lawful products. The newly enacted amendments make it unlawful for employers to ask applicants and employees to provide passwords and log-in information to personal social networking sites, although the employer can obtain information that is publically available on the Internet. The law takes effect on Jan. 1, 2013.

In conclusion, there is a nascent trend to prohibit employers from requiring applicants and employees to turn over passwords to private accounts. However, they currently only affect employers in two states.  Nevertheless, employers must carefully consider whether to require the disclosure of passwords even in unregulated states. First, the employer may face a privacy lawsuit, such as one that the ACLU brought against the Maryland Department of Corrections. Second, the employer must consider the risk of obtaining knowledge of a protected characteristic or medical condition that could lead to allegations of discrimination under federal, state or local laws. Employers would be well-advised to seek professional advice before blindly embracing this vetting tactic. Moreover, inside counsel should develop a policy with appropriate legal safeguards, train management in the policy and ensure compliance throughout the organization.