The legislative response to employers' requests for password disclosure.

• Author: Blanke, Jordan M.

Introduction

As often happens when a new societal problem emerges, there has been a quick legislative response. A dozen states have already passed legislation prohibiting an employer from requesting or requiring an employee or a prospective employee from disclosing password information that would provide access to one's personal social media account. This article will explore the incidents that led to this response and will compare the various approaches taken by these twelve states and by bills proposed in twenty-seven other states and the federal government.

Background

In 2010, Robert Collins was reapplying for a job as a security guard at the Maryland Department of Public Safety and Correctional Services. (1) As part of the recertification process, there was "a request --or to me, rather, a demand ... for my Facebook e-mail and login information," said Collins. (2) The Department had initiated the practice of asking prospective employees to voluntarily provide user names and passwords to social media sites in order to perform background checks and to investigate possible gang affiliations. (3) "I understood the investigator to be saying that I had ... to hand over my Facebook log-in and password," said Collins. (4) He was stunned but complied with the request: "I needed my job to feed my family." (5)

This incident publicized a growing practice among some employers to ask prospective employees for access to their social media accounts. (6) In March 2012, Facebook itself addressed the problem in a post by its Chief Privacy officer:

The most alarming of these practices is the reported incidents of employers asking prospective or actual employees to reveal their passwords. If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends. We have worked really hard at Facebook to give you the tools to control who sees your information. As a user, you shouldn't be forced to share your private information and communications just to get a job. And as the friend of a user, you shouldn't have to worry that your private information or communications will be revealed to someone you don't know and didn't intend to share with just because that user is looking for a job. That's why we've made it a violation of Facebook's Statement of Rights and Responsibilities to share or solicit a Facebook password. We don't think employers should be asking prospective employees to provide their passwords because we don't think it's the right thing to do. (7) State Senator Ronald N. Young, one of the sponsors of the bill that was enacted in Maryland, stated "he thought the problem was 'starting to be widespread' and that he's 'hearing of more and more cases.'" (8) Similarly, Assemblywoman Nora Campos, one of the sponsors of the California bill that became law, stated that it would be a "'preemptive measure' that would offer guidelines to ... [protect] private information behind ... [our] 'social media wall.'" (9) She stated, "our social-media accounts offer views into our personal lives and expose information that would be inappropriate to discuss during a job interview." (10) Campos' office indicated that more than 100 cases currently before the National Labor Relations Board involve employer workplace policies regarding social media. (11)

Two U.S. Senators, Charles Schumer and Richard Blumenthal, asked the Department of Justice and the Equal Employment Opportunity Commission to determine whether this type of practice violates existing federal law. (12) This question was addressed to some extent a couple of times in cases involving current employees, rather than perspective employees. (13) In Konop v. Hawaiian Airlines, Inc., (14) and Pietrylo v. Hillstone Restaurant Group, (15) courts wrestled with the question of whether "coerced" access to restricted web sites violated the federal Stored Communications Act (SCA). (16) In decisions that are probably limited to their unique factual situations, both courts held that the employers' access to employees' websites were unauthorized under the SCA. (17) It is questionable, however, whether the SCA would be of much use to employees or prospective employees who, presumably, would be giving permission to access their social media sites, and would have to argue that their permission was coerced or that the access was unauthorized. (18)

The Legislative Response

In an effort to nip this growing practice in the bud, four states in particular have proposed a variety of bills, some of which passed by 2012; of these four, Illinois was the first to propose a bill on May 18, 2011, (19) followed by Maryland on February 2, 2012, (20) (California on February 22, 2012, (21) and Michigan on March 29, 2012. (22) These bills became law on August 1, 2012, May 2, 2012, September 27, 2012, and December 28, 2012, respectively. (23) The Maryland (24) law became effective on October 1, 2012, the Michigan (25) law on December 28, 2012, and the Illinois (26) and California (27) laws on January 1, 2013. An additional nine states (Arkansas, (28) Colorado, (29) Nevada, (30) New Jersey, (31) New Mexico, (32) Oregon, (33) Utah, (34) Vermont, (35) and Washington (36)) enacted legislation in 2013. Twenty-seven other states and Congress have considered or are considering similar bills. (37) This paper will compare and discuss the various approaches taken by these pieces of legislation. While much of the legislation varies greatly, most of the bills follow one or more of the models provided by the first four states: Illinois, Maryland, California and Michigan. I will address the approaches taken topic by topic.

To Whom do the Prohibitions Apply?

All of the laws and bills restrict an "employer" from acting in a certain manner. About half of the states that have enacted legislation specifically define the term "employer" within the statute. Maryland defines an employer as "a person engaged in a business, an industry, a profession, a trade, or other enterprise in the state" (38) or "a unit of state or local government." (39) It provides that employer "includes an agent, representative, and a designee of the employer." (40) Arkansas, (41) Colorado, (42) Michigan, (43) and New Jersey (44) use basically the same language, with Colorado specifically excluding "the department of corrections, county corrections departments, or any state or local law enforcement agency" (45) and New Jersey specifically excluding the "Department of Corrections, State Parole Board, county corrections departments, or any State or local law enforcement agency." (46)

Utah defines an "employer" as "a person, including the state or a political subdivision of the state, that has one or more workers or operators employed in the same business, or in or about the same establishment, under any contract of hire, express or implied, oral or written." (47) Washington has an even more detailed definition:

"Employer" means any person, firm, corporation, partnership, business trust, legal representative, or other business entity which engages in any business, industry, profession, or other activity in this state and employs one or more employees, and includes the state, any state institution, state agency, political subdivisions of the state, and any municipal corporation or quasi-municipal corporation. (48) Some of the bills propose a broader scope for the actor, such as Minnesota, which would prohibit any "person, whether acting directly or through an agent," (49) and Ohio, which would prohibit any "employer, employment agency, personnel placement service, or labor organization." (50) The definition proposed by Congress in the Social Networking online Protection Act (SNOPA) would include "any person acting directly or indirectly in the interest of an employer in relation to an employee or an applicant for employment." (51)

Who Is Protected?

The actions prohibited by the "employer" (generally) pertain to "employees" and to "prospective employees." (52) Also, Colorado and Washington define an "applicant" as an "applicant for employment." (53) Interestingly, New Mexico's law protects only a prospective employee, not a current employee. (54) Other than this last distinction, there appears to be little significance in the choices of terms used. (55)

What is Prohibited?

Although there are multiple variations of law implemented or proposed, very generally speaking, an employer is prohibited from requesting or requiring from an employee or an applicant the disclosure of a user name or password in order to gain access to a personal account or social networking site. (56)

"Request or Require"

The laws in eleven of the thirteen states provide that an employer may not "request or require" the specified information from the employee or applicant, (57) while Michigan and Utah use only the term "request." (58) In addition to "request or require," the language in Arkansas and Colorado includes "suggest" and "cause [to disclose]." (59) Nevada goes a step further, making it unlawful for an employer to "[d]irectly or indirectly, require, request, suggest or cause [to disclose]." (60) Washington provides that an employer may not "request, require, or otherwise coerce" disclosure. (61) In Illinois and New Mexico, there is a separate restriction that makes it unlawful for an employer to "demand access" to ones account or profile. (62)

Although the prohibited action is simply to "ask" in South Carolina (63) and to "ask or require" in Ohio, (64) most of the bills in other states use similar language. (65) In Minnesota, the prohibited action is to "require as a condition precedent to employment." (66) There is little significance in these variations.

"Disclose"

The laws in ten of the thirteen states prohibit a request to "disclose" username or password information, (67) while Illinois and New Mexico prohibit a request to "provide"...