On April 1, 2012, the Maryland General Assembly passed the User Name and Password Privacy Protection and Exclusions Act that prohibits employers from asking or requiring employees and applicants to disclose user names or passwords to personal accounts. If the Bill is signed into law by the governor, it will take effect on October 1, 2012.
The law would cover employers of all sizes, including state and local government agencies. It also includes agents, representatives and designees of an employer. Thus, an employer could not delegate the task of collecting password information to a search firm or background check firm.
The bill specifically prohibits employers from requiring or requesting that a current employee or an applicant for employment disclose their user name, password, or other means for accessing a “personal account or service through an electronic communications device.” This prohibition would include requiring an employee or an applicant for employment to disclose, for example, the password to their Facebook or other social media account. It also prohibits an employer from disciplining, discharging or otherwise penalizing an employee for refusing to disclose this type of information.
The bill does permit employers to require employees to disclose user names and passwords for “non-personal accounts or services” that provide access to the employer’s internal systems. Thus, employers would be permitted to require employees to disclose their passwords for accessing the employer’s computer system or specific programs or documents within that system.
An amendment added prior to passage of the bill prohibits employees from downloading unauthorized employer proprietary information or financial data to the employee’s personal website, Internet website or web-based account. It appears that the amendment was intended to prohibit employees from posting on their personal sites, such as a Facebook account, proprietary information or the employer’s financial data. However, the term “unauthorized” is not defined. The preferred interpretation for employers is that the prohibition covers any proprietary or financial information the employee was not authorized to disclose, as opposed to information the employee was not authorized to access.
The amendment also provides two provisions specifically permitting employers to conduct certain investigations. The first provision applies to situations in which the employer receives information that an employee has used a personal site or account for business purposes. Under those circumstances, an employer is permitted to conduct an investigation for the purpose of ensuring compliance with law or regulatory requirements in the securities and financial area. While the provision specifically permits an employer to conduct such an investigation, remarkably it does not specify whether the employer may, under those limited circumstances, require an employee to disclose a password or user name to a personal account.
Another provision of the bill applies when an employer has received information about the unauthorized downloading of an employer’s proprietary information or financial data to a personal website or account. The provision permits employers to investigate “an employee’s actions” under those circumstances. Again, it does not specify whether the employer can require the employee to disclose a user name and password in the course of that investigation.
While not expressly stated in the bill, the two limited investigation provisions seem to imply that employers may, under those limited circumstances described in the bill, require employees to disclose user names or passwords as a part of the investigation. There would be no purpose in including those exclusions otherwise. However, it is unclear why the issue was not addressed directly, so caution is warranted.
The bill does not address an employer’s review of employees’ use of workplace computer and information systems, including the use of those computers or systems for accessing personal accounts. For example, the bill is silent on the question of whether and when an employer can review the information an employee downloads or sends (or sites accessed through) the employer’s information systems. The bill does not specifically prohibit such employer activity, as long as the employer does not require the employee to disclose his or her password or user name.
While Maryland may become the first state to enact such a law, similar measures are being considered around the country and in Congress.
There is a growing trend of legislatures and regulators scrutinizing employer access to and use of web-based and other background information about employees and applicants. For example, the National Labor Relations Board Acting General Counsel has issued several decisions finding that employers’ social media policies restricting employees’ discussion of work-related matters violate the National Labor Relations Act. States, including Maryland, have also limited an employer’s ability to obtain and/or use certain background information, and the EEOC is said to be considering action on criminal background checks. Further, there are already strict federal requirements for conducting background checks on employees. Future articles will address these issues as well as provide a status update on the Maryland user name and password privacy protection bill.
Employers must review their social media and other Internet usage policies and practices and keep abreast of the rapid developments in this area as the law adjusts to new technology.