On August 1, 2012, Illinois joined Maryland in becoming the second state to prohibit employers from requesting or requiring employees or applicants to provide passwords or other account information to gain access to the person’s profile on a social networking website. Several other states, including California, Delaware, Massachusetts, Michigan, New York, and Washington, are considering similar laws.

Amending “The Right to Privacy in the Workplace Act,” Illinois Public Law No. 097-0875 makes it unlawful for an employer “to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.” The law becomes effective on January 1, 2013.

Importantly, the law makes it clear that it does not limit an employer from promulgating and maintaining “lawful workplace policies governing the use of the employer's electronic equipment, including policies regarding Internet use, social networking site use, and electronic mail use.” Furthermore, the law does not limit an employer’s right to “monitor usage of the employer's electronic equipment and the employer's electronic mail without requesting or requiring any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website.”

In addition, the law specifically does not prohibit an employer from obtaining about an employee or applicant information that is in the public domain or that is otherwise obtained in compliance with the law.

The law will be enforced by the Illinois Department of Labor, which will investigate complaints of noncompliance. It also allows aggrieved persons to file a civil action against an employer. If an employer is found to have violated the law, it can be forced to pay actual damages and reasonable attorneys’ fees and costs.

The similar Maryland law, which was passed on May 2, 2012, goes into effect on October 1, 2012. That law prohibits an employee from downloading unauthorized employer proprietary information or financial data to an employee’s personal website, an Internet website, a web-based account, or similar account. It also authorizes an employer to conduct an investigation to ensure that an employee is in compliance with applicable securities, financial law, or regulatory requirements if information is received that that employee is using a personal website, an Internet website, a web-based account, or similar account for business purposes. Finally, it permits an employer to conduct an investigation of an employee’s actions if information is received that that employee conducted an unauthorized download of his or her employer’s proprietary information or financial data to a personal website, an Internet website, a web-based account, or similar account.