Lawmakers Take Aim At Password Privacy

more+
less-

[author:  Matt Borick]

In 1597, Sir Francis Bacon observed that knowledge is power. It’s hard to argue against that observation, which certainly Password Privacy, Legalis as true today as it was back then. And with today’s social media technology there’s a lot more knowledge to be had. For example, today I learned through Facebook, a friend’s young child was repeatedly offering a snack to a very overweight individual sitting across an airplane aisle, much to her embarrassment. Another friend was “mopedding” in Bermuda and may or may not have applied temporary tattoos for that purpose. (I doubt Mr. Bacon was contemporaneously aware of similar events taking place back in his day.)

We all know that social media is a very powerful tool. Among other things, it’s a great way to get a lot of information out to a large number of people without a lot of time or effort. And some of this information can be very helpful to those who can access it. For litigators like me, for example, social media can be a great tool for gathering facts about opposing parties, assuming they have placed that information in a location where it can be readily found, such as Facebook. A personal injury plaintiff’s photos from a recent ski vacation make great fodder for cross-examination.

As we have seen in the news over the past few months, employers have actively sought to use social media to learn more about those they employ or are thinking of employing. Some of them have even gone so far as to ask employees and candidates for their social media passwords, sparking a great debate nationwide.

It turns out that, even before this issue of “password privacy” became front page news, lawmakers in several states were already working on legislation to address it (along with companion legislation applicable to students and applicants at educational institutions). And just last month, Maryland became the first state to officially put a password privacy law “on the books.” Maryland’s law, which goes into effect this October, provides that employers “may not request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device,” although they may require employees to disclose analogous information they use for accessing their employers’ computer and information systems. As a “belt and suspenders” measure, the law provides that employers in Maryland also may not fire or discipline employees who refuse to disclose the keys to access their personal accounts, nor may they refuse to hire applicants based on their refusal to disclose.

Currently at least a dozen other states – California, Delaware, Illinois, Massachusetts, Michigan, Minnesota, Missouri, New Jersey, New York, Ohio, South Carolina, and Washington – have legislation pending to address password privacy. Some of these bills are even more stringent than Maryland’s law. For example, proposed legislation in New Jersey would also prevent employers from even asking if employees or applicants maintain accounts on social networking sites. A pending bill in Delaware would prevent employers from accessing an employee’s or applicant’s social media accounts indirectly through third parties (e.g., “friends”).

At the same time, a number of these bills include specific carve-outs not contained in Maryland’s law. For example, proposed legislation in California would allow employers to request access to personal social media accounts to aid in a formal investigation regarding “specific allegations of harassment, discrimination, intimidation, or potential violence.” And proposed legislation in Minnesota would expressly exclude e-mail from the definition of “social networking site.” Finally, legislation in several states makes clear that employers are not prohibited from viewing information that is in the public domain or that is obtained by lawful means, establishing lawful policies governing social media or the use of electronic equipment, or monitoring employee e-mail or internet usage on the employers’ systems.

At the federal level, the “Social Networking Online Protection Act” (SNOPA) and the “Password Protection Act of 2012” have recently been introduced in Congress. Interestingly, the Password Protection Act has been proposed as an amendment to the federal Computer Fraud and Abuse Act, which primarily targets “hacking” and similar conduct.

Knowledge still is power. But the growing trend in the law is to prevent employers from knowing all they might want to know. No doubt it would be useful for employers to know as much as they can about the people to whom they are, or soon may be, entrusting their businesses, but lawmakers are recognizing that there needs to be a line drawn somewhere. And who knows – employers arguably might also benefit from not knowing certain information. Consider, for example, an employer who fires an employee for what could be considered a “borderline” reason. If the employer had been able to access the employee’s private Facebook account, which revealed that the employee was a member of some protected class, that might give the employee an argument that the stated reason for the firing was just a pretext. So maybe knowledge is not power, and instead ignorance is bliss!