[author: Matt Borick]
The arrival of October marks an historic milestone for password privacy law. Back in May, Maryland became the first state to enact a password privacy law (discussed in my last post on this topic), and on October 1 that law officially went into effect. So now employers in Maryland are prohibited from asking or requiring employees or job applicants to disclose the access information (passwords, user names, etc.) for any personal electronic accounts or services they have. Nor can employers fire, discipline, or decline to hire people who won’t disclose.
And now two other states – Illinois and California – have joined the party. In August, Illinois passed a law (effective January 1, 2013) that makes it unlawful for employers to ask or require employees or applicants to provide their access information for “social networking websites.” The law states that it does not apply to personal e-mail, in contrast with Maryland’s law, which more broadly covers a “personal account or service.”
California’s new law is also quite broad, defining “social media” to include
“an electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.”
Moreover, not only does the law prevent employers from requesting or requiring disclosure of user names or passwords, it also prohibits employers from asking or requiring employees or applicants to either access their personal social media in the employer’s presence, or divulge that they even have any such accounts. California’s law was passed at the end of September and, like the Illinois law, goes into effect on January 1, 2013. (At the same time, California also passed a companion law aimed at students and applicants at educational institutions. Delaware passed a similar law in July.)
What we’ve seen in Maryland, Illinois, and California is just the beginning. Eleven other states currently have password privacy bills in the works. In addition, both the Social Networking Online Protection Act (SNOPA) and the Password Protection Act of 2012 remain under consideration in Congress.
As time goes on, what may prove to be the most interesting aspect of the various password privacy laws is not what they prohibit but rather what they don’t.
Two of the three laws that have been passed to date list situations when employers may require or obtain – or at least are not prohibited from doing so – the disclosure of access information for personal accounts.
In Maryland, employers are not prevented from investigating potential violations of securities, financial, or regulatory requirements using personal accounts or the unauthorized downloading of the employer’s confidential information to personal accounts.
Under California’s forthcoming law, employers will maintain their existing rights to request employees to disclose personal social media that might be relevant to an investigation of alleged employee misconduct or alleged legal or regulatory violations by employees.
Illinois’ new law does not contain similar provisions, although it does make clear that employers are not foreclosed from accessing “public domain” information on employees or applicants or from setting policies for and monitoring the use of the employer’s electronic equipment and e-mail.
Along the same lines, it will be interesting to see how courts interpret and apply password privacy laws. Past court decisions suggest that courts do not hold social media passwords sacred. For example, the Sixth Circuit Court of Appeals recently upheld a trial court order in U.S. v. Smalcer requiring a convicted felon to disclose his Facebook password in the course of the sentencing process. The court in Gallion v. Gallion, a Connecticut divorce case, ordered counsel for the parties to exchange their clients’ Facebook and on-line dating passwords. And in three different personal injury cases in Pennsylvania (McMillen v. Hummingbird Speedway, Zimmerman v. Weis Markets, and Largent v. Reed), the respective courts ordered the plaintiffs to turn over their social media user names and passwords to the defense.
These Pennsylvania cases all involved a situation where public information on the plaintiffs’ social media sites cast doubt on their claimed injuries, and it was reasonable to expect that additional relevant information could be found on the “private” portions of the sites. The policy of liberal discovery was not outweighed by any privacy concerns the plaintiffs claimed – as one court observed, “By definition, a social networking site is the interactive sharing of your personal life with others; the recipients are not limited in what they do with such knowledge.”
Judging from the wave of password privacy litigation, legislatures have found that, at least in the employment sector (as well as education), passwords, user names, and other social media access tools are sacred. But as the various carve-outs in the password privacy laws make clear, such protection may not be absolute. And if the matter gets into court litigation, it seems that all bets are off.