On August 1, 2012, Illinois became the second state in the nation to adopt a law prohibiting employers from seeking employee or prospective employee passwords to access their the non-public portions of their social networking sites.
The Illinois' law, an amendment to the Right to Privacy in the Workplace Act that will become effective January 1, 2013, makes it unlawful for an employer to request or require an employee or prospective employee to provide password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking site or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website. The law defines "social networking site" to mean an Internet-based service that allows individuals to: (a) construct a public or semi-public profile within a bounded system, created by the service; (b) create a list of other users with whom they share a connection within the system; and (c) view and navigate their list of connections and those made by others within the system. By definition, a "social networking site" does not include electronic mail.
Nothing in the new law is intended to prohibit an employer from: (a) accessing employee and prospective employee information in the public domain; (b) maintaining lawful policies governing the use of its electronic equipment, including policies regarding Internet use, social networking site use, and electronic mail use; or (c) monitoring its electronic equipment and electronic mail to the extent otherwise permitted by state and federal law.
Employers who violate the Right to Privacy in the Workplace Act are liable for actual damages plus costs, and, for willful and knowing violations, an additional $200 fine plus attorney's fees. Violations of the Act also constitute a petty offense. Last but certainly not least, employers also are prohibited from discriminating against persons who exercise their rights under the Act.
Illinois joins Maryland as the only two states with laws addressing this issue. But they will not be alone for long. The issue is currently under various stages of consideration in several other states, including Washington, California, New York, New Jersey, Minnesota and Michigan. In addition, earlier last year some members of Congress asked the Department of Justice and the EEOC to investigate whether employer demands that job applicants turn over their social media passwords violates current federal law, discrimination statutes, or the Stored Communications Act and/or the Computer Fraud and Abuse Act. Bills have been introduced in both the House (Social Networking Online Protection Act ) and the Senate (Password Protection Act of 2012 ) which would prohibit employers from requiring current or prospective employees to provide their username or password to access online content.
Illinois employers, as well as Maryland employers, should take steps to comply with these new laws. In particular, employers should ensure that interviewers or other persons in the hiring process do not request passwords from applicants. Given the risks of asking for passwords, and the likelihood that many states will follow the lead of Maryland and Illinois, all employers should think twice before asking or requiring employees or applicants for social network passwords.