Maryland was the first state to pass legislation prohibiting current or prospective employers from asking for passwords to employee and applicant personal social media accounts. The Maryland statute took effect this month. Illinois and California followed with their own versions of such legislation. Other states working on such bills include: Delaware, Massachusetts, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, Pennsylvania, South Carolina and Washington.
The scope of these laws may extend beyond merely prohibiting employers from asking for passwords to social media websites. The California statute, for example, is broader – protecting all personal electronic content from employers’ eyes. Some of the legislation protects email accounts while other legislation does not.
Below is a summary of the three statutes now in effect.
California
| Effective | January 1, 2013 |
| Social Media | Defines “social media” broadly to include electronic services, accounts and content. Email accounts are included. Includes such content as videos, still photographs, blogs, video blogs, podcasts, instant and text messages.The term “personal social media” is not defined. There is also no requirement that the electronic content be stored or transmitted on the internet in order to be covered by the statute. It might be that any personal file on an employer system, account or employer-issued device is “personal social media” protected by the statute. Employee email with personal content might be covered, even if transmitted through an employer-provided email account. |
| Prohibited | Requests or demands: (i) for a username or password to access to an existing or prospective employee’s personal social media; (ii) that an existing or prospective employee access personal social media in the employer’s presence; (iii) to divulge personal social media.Typical employer policies that authorize the monitoring of employer-provided systems may violate the statute to the extent that they constitute a request or a requirement for an employee to divulge personal electronic content. |
| Permitted | An employer may require or request an employee to disclose a username, password, or other method to access an employer-issued electronic device. The statute does not authorize the prohibited acts once the employer gains access to an employer-issued device. So, the employer might not be authorized to require the employee to provide a password for files or folders on the device, for example.An employer may request (not require) an employee to divulge personal social media reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding. |
Illinois
| Effective | January 1, 2013 |
| Social Media | Defines “social networking website.” Email accounts are not protected. |
| Prohibited | Requests or demands for information to enable access to an existing or prospective employee’s social networking website. |
| Permitted | Employer policies governing use of the employer’s electronic equipment, including policies regarding use of the Internet, social networking sites, and email.Monitoring usage of the employer’s electronic equipment and the employer’s electronic mail, so long as it does not involve requests or demands for information to enable access to an existing or prospective employee’s social networking website. |
Maryland
| Effective | October 1, 2012 |
| Social Media | A personal account or service accessed through an electronic communications device. Not limited to “social media” or “social networks.” Would seem to include email accounts. |
| Prohibited | Requests or demands for user name, password or other means to enable access to an existing or prospective employee’s personal account or service . |
| Permitted | Employer may require an employee to disclose any user name, password, or other means for accessing non-personal accounts or services that provide access to the employer’s internal computer or information systems. It is not clear whether the reference to “internal” systems means that outsourced or Cloud-based systems are excluded.Employer may conduct an investigation for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements. Such an investigation must be based on the receipt of information about the use of a personal web site, internet web site, web-based account, or similar account by an employee for business purposes. The statute does not require that the business purpose for such a web site or account must relate to the employer’s business.Employer may conduct an investigation of unauthorized downloading of an employer’s proprietary information or financial data to a personal web site, internet web site, web-based account, or similar account by an employee, which is based on the receipt of information about such activities. |
Brash Tacks 