Lawmakers in the Senate and House of Representatives have introduced legislation (S. 3074, H.R. 5684) that would amend the Computer Fraud and Abuse Act to make it a federal crime, punishable by fines, for employers to knowingly and intentionally “compel or coerce” a person to authorize access (such as by providing a password) to a computer that is not the employer’s computer, for hiring, promotion or firing purposes, and thereby to obtain information from the computer. The bills would therefore leave room for employers to compel employees to grant access to computers that belong to such employers. However, the bills would also criminalize retaliation against whistleblowers and employees who refuse to provide access to computers that are not an employer’s computers. The restrictions on employers would not apply in certain cases: (1) if employees are disciplined or fired for other good cause; (2) if a State wishes to waive the federal law for its own employees or for individuals who work with children; or (3) if federal agencies waive the law for classes of employees who access classified information.
A competing measure introduced by Representatives Engel (D-NY) and Schakowsky (D-IL) (H.R. 5050), titled the Social Networking Online Protection Act, would prohibit employers from requiring or requesting that an employee or applicant provide access to private email or social networking accounts regardless of the computer used. “Social networking websites” are defined to include any site for managing user-generated content, a definition not limited to sites with social sharing features. The legislation also protects whistleblowers and employees who refuse to provide such access. These restrictions would be enforceable by the Secretary of Labor through civil penalties and injunctive relief. The same restrictions would apply to schools and universities that receive federal funding, with respect to the accounts of students and applicants.
These federal legislative proposals echo bills introduced in over a dozen states that would similarly prevent entities from seeking access to individuals’ personal online accounts. In May, Maryland became the first state to enact such legislation. Maryland’s law, which will take effect on October 1, 2012, prohibits employers from requesting or requiring access to certain personal accounts of employees or applicants and from retaliating against employees or applicants who refuse to provide access. The law specifies that employees may not download certain unauthorized data to their personal accounts, and that employers are not prevented from conducting certain internal investigations. Delaware has enacted password protection legislation that applies to higher educational institutions. Other state measures remain under consideration.