Members of the House and Senate introduced legislation on May 9, 2012 that would ban employers from requesting individuals’ usernames, passwords, or any other means of accessing their social networking sites and from taking adverse action against job applicants and employees who refuse to provide such information. The Password Protection Act of 2012 (pdf) (H.R. 5684, S. 3074), introduced in the Senate by Richard Blumenthal (D-CT), Chuck Schumer (D-NY), Ron Wyden (D-OR), Jeanne Shaheen (D-NH), and Amy Klobuchar (D-MN) and in the House by Reps. Martin Heinrich (D-NM) and Ed Perlmutter (D-CO), would still allow employers to permit the use of social networking within the office on a voluntary basis, establish computer and social media use policies, avail themselves of online information about individuals that is already public, and protect their intellectual property or confidential business information from theft. Employers found in violation of this bill would be subject to monetary penalties only.

Under the specific terms of the bill, it would be unlawful for an employer to knowingly and intentionally compel or coerce any person “to authorize access, such as by providing a password or similar information through which a computer may be accessed, to a protected computer that is not the employer’s protected computer, and thereby obtains information from such protected computer,” and to retaliate against an employee who refuses to comply. The bill builds upon existing technology law, namely the federal anti-hacking Computer Fraud and Abuse Act.

Last month members of the House of Representatives introduced similar legislation that would apply to both employers and universities. The Social Networking Online Protection Act (H.R. 5050), sponsored by Rep. Eliot Engel (D-NY), would also impose civil penalties on those entities that violate any provision of the bill. While Maryland has passed a similar law prohibiting employers from asking applicants and employees for social media account log-in credentials and related bills are pending in a handful of other states, the Social Networking Online Protection Act was the first such measure to be introduced at the federal level.

Specifically, H.R. 5050 would make it unlawful for an employer to:

require or request that an employee or applicant for employment provide the employer with a user name, password, or any other means for accessing a private email account of the employee or applicant or the personal account of the employee or applicant on any social networking website.

An employer would be similarly prohibited from discharging, disciplining, discriminating against, denying employment or promotion to, or otherwise threatening an employee or applicant who refuses to provide social networking or other login credentials or who participates in an action against an employer for violating the act. An employer would face civil penalties of up to $10,000 per violation. The bill provides similar protections for students who refuse to provide their usernames and passwords to their university or college officials.

The Social Networking Online Protection Act defines “employer” broadly to mean “any person acting directly or indirectly in the interest of an employer in relation to an employee or an applicant for employment.” The measure defines “social networking website” as:

      any Internet service, platform, or website that provides a user with a distinct account--

  1. whereby the user can access such account by way of a distinct user name, password, or other means distinct for that user; and
  2. that is primarily intended for the user to upload, store, and manage user-generated personal content on the service, platform, or website.

Protecting an employee’s or applicant’s online privacy is an emerging employment issue. In March 2012, Sens. Blumenthal and Schumer sent requests to the Department of Justice (DOJ) and Equal Employment Opportunity Commission (EEOC) asking them to determine whether requesting job applicants for their social medial login credentials for background check purposes violates federal law. Earlier this year, the National Labor Relations Board’s (NLRB) Office of General Counsel issued a report asserting the Board’s position that many policy provisions commonly seen in employers’ social media policies violate the National Labor Relations Act (NLRA). Given the attention that this topic has generated, a federal bill banning the practice of requesting online credentials could gain traction in the coming months.