The Social Media Law Blog is a forum for lawyers, compliance
personnel, human resources managers, and other professionals who
are struggling with the legal implications of social media across a
broad variety of topics. Working professionals and Bloomberg BNA
editors may share ideas, raise issues, and network with colleagues
to build a community of knowledge on this rapidly evolving topic.
The ideas presented here are those of individuals, and Bloomberg
BNA bears no responsibility for the appropriateness or accuracy of
the communications between group members.
Wednesday, June 20, 2012
(We're pleased to have a guest post by Tom
O'Toole, Managing Editor of Bloomberg BNA's Electronic Commerce & Law Report and contributor for our E-Commerce & Tech Law Blog. You can also follow him on Twitter
Several sharp lawyers at DLA Piper put out a client alert this morning pointing out all
of the loopholes ("exceptions" is the word they used) in Maryland's
first-in-the-nation attempt to regulate the circumstances under which employers can demand access to online accounts held by employees and prospective employees.
When the Maryland law was first introduced I wrote it off as
typical front-running by political officials, and did not read it
closely. DLA Piper's lawyers did and so, after I read their
article, did I. What a mess.
From the DLA Piper article, here are five exceptions to the
Maryland law followed by a few comments of my own.
1. An employer may conduct an investigation to ensure
compliance with securities and financial regulations.
2. An employer may conduct an investigation into
misappropriation of proprietary information.
The authors of the DLA Piper article seem to believe that the
investigations permitted by the law must be triggered by the
receipt of information that the employee himself is engaged in
possible unlawful activities. That's a plausible reading. However,
the drafter's language also supports a broader interpretation.
The law states, at Section 3-712(E)(1), "based on the receipt of
information about the use of [an online account or service] by
an employee," the employer may conduct an investigation for
the purpose of ensuring compliance with applicable securities or
financial law, or regulatory requirements;"
To me, "by an employee" means any employee, and the
investigation authorized by the statute is not limited to that
Similarly, at Section 3-712(E)(2), the law provides that "based
on the receipt of information about the unauthorized downloading
[of proprietary data] by an employee," the employer
is not prevented from "investigating an employee's
Here again, the person whose conduct may be investigated is not
necessarily the same person who allegedly committed the
unauthorized act. It seems perfectly reasonable to me to read the
law as permitting an investigation of all employees based on
information regarding a single but different employee.
The DLA Piper attorneys also assume that investigations
permitted by the law can include demands for access credentials to
personal online accounts. That may be but the law doesn't
specifically provide for access to online account credentials. It
merely states that "investigations" may be conducted.
3. An employer may demand that an employee turn over
credentials used to access the employer's own computer
Clearly. This part of the law, at Section 3-712(B)(2), must have
been inserted out of an abundance of caution because it seems clear
that employers already enjoyed this right. Subject, of course, to
common law privacy protections and possibly, in the criminal
context, constitutional protections against compelled
4. An employer may demand that an employee turn over
credentials used to access nonpersonal accounts, including social
media accounts such as Twitter or LinkedIn that are used in
connection with the employer's business.
The Maryland law provides, at Section 3-712(B)(2), that "an
employer may require an employee to disclose any user name,
password, or other means for accessing nonpersonal accounts or
services through an electronic communications device."
Who defines the line between a "personal" and "nonpersonal"
website? Between "personal" and "nonpersonal" accounts? The
Maryland law uses both of these terms several times, defining
neither of them. This creates a large opportunity for lawyers to
step in and narrow the reach of the law. Devices that belong to the
employer fall easily into the "nonpersonal" category, so those
would be afforded no protection under the Maryland law.
Employers may deem it wise to define employee-owned devices as
those that are used to access employer-owned networks as
"nonpersonal," further restricting the protections of the law.
Employers may deem it wise to define as "nonpersonal" any online
account that is tied to an employer-owned email address or is used
to further the employer's business interests (Twitter, LinkedIn) or
one that even mentions the employee's connection with the
Right now a well-written computer use policy goes a long way
toward defining an employee's privacy rights. This provides a great
opportunity for employers to blunt the impact of feeble laws like
Maryland's. The New Jersey Supreme Court's ruling in Stengart v. Loving Care Agency Inc., 201 N.J. 300 (N.J. 2010), nominally a "win"
for the plaintiff in that she prevented her employer from accessing
email messages to her attorney, demonstrates the extent to which a
well-crafted workplace computer use policy can be used to restrict
(or eliminate) "personal" communications during workplace hours.
Some courts may pick holes in computer network policies, but they
embrace the idea that these policies can be used to define privacy
rights in the workplace.
5. An employer may request an "over the shoulder" view
of the contents of an employee's online account.
Too true. The Maryland law protects credentials that are used to
access an employee's online account, not the information that is
contained in the online accounts. Since the purpose of the law
presumably was to protect against employers who wanted to rummage
through an employee's personal information without cause, one might
reasonably think that the law should focus on access or on the
information itself. No such luck.
Elsewhere in the Maryland law, for reasons that I do not
understand, the drafters decided to use the narrow, undefined term
"download" instead of the more familiar term "access" to describe
an employee's interaction with a computer network.
Maryland's computer crime statute, Md. Code, Criminal Law,
Section 7-302, uses and defines the term "access." The federal
Computer Fraud and Abuse Act, 18 U.S.C. Section 1030, also uses the
term "access" to describe interactions with, and taking information
from, a computer network.
Not the Maryland law. It uses the term "download" and then, of
course, neglects to define it. What if an employee emails
proprietary information to himself? Is that a "download?" Or copies
information to a thumb drive? Is that a "download?" Who knows.
Furthermore, why does is the law tied to electronic communications?
If an employee walked out of the office with paper documents
containing proprietary information, shouldn't that trigger an
employer's right to investigate?
While the CFAA can be plausibly interpreted to forbid "over the
shoulder" access to information displayed on a computer screen, the
Maryland law cannot. As the DLA Piper article points out, there
seems to be nothing to prevent an employer from demanding an "over
the shoulder" look at an employee's online account.
There is also an inexplicable inconsistency in how the Maryland
law describes which acts are forbidden by the law.
Proposed Section 3-712(D) provides that "an employee may not
download unauthorized employer proprietary information ...." The
term "unauthorized" is an adjective modifying the noun "employer
proprietary information." I have no idea what "unauthorized
employer proprietary information" might be.
True to form, these terms are not defined in the law.
At a different part of the law, the term "unauthorized" pops up
again, this time as an adverb modifying the term "downloading." At
Section 3-712(E), the law provides that an employer is not
prevented from investigating an employee's actions "based on the
receipt of information about the unauthorized downloading of an
employer's proprietary information ...."
So we have both "unauthorized downloading" and "downloading
unauthorized employer proprietary information." It's disappointing
that the law's drafters were so loose with their use of key
Another oddball feature: the law protects accounts and
services but not electronic devices themselves, so there
seems to be nothing in the law that would prevent an employer from
demanding access credentials to an employee's electronic device --
personal or nonpersonal -- or from demanding access to the device
itself. Tough language in the "bring your own device" section of an
employer's computer use policy should be able to sew things up
Yet another curious aspect of the Maryland law is that the
"protections" it provides extend not just to social networking
websites but to any sort of online account or website used by an
Finally, the law has a kind of "reverse domain name hijacking"
feel to it. It's not clear how the law will, if ever, intrude upon
reality. The law contains no private remedy, nor is authority for
enforcement delegated to a state agency. It's not clear how an
employee or prospective employee could claim the law's protections
in the event of discipline or denial of a job opportunity. If
anything, the law seems to be most effective at shoring up the
authority that employers already have under current law and under
their current computer use policies.
The Maryland law goes into effect on Oct. 1, 2012.
Other state bills on the same topic are under consideration in
California, Delaware, New Jersey, New York, Illinois and Michigan,
and they are all linked-to at the bottom of the DLA Piper article.
These laws can't be described as similar to Maryland's -- they're
written much more narrowly and sensibly. They haven't passed yet
to post a comment.
COPPA Rule Changes: Be Ready for July 1
States Consider Barring Access to Students’ Social Media Accounts
Claim Fails Against Employee Who Lagged In Updating LinkedIn Page After Firing
New Jersey Governor Asks Legislature To Narrow Scope of Social Media Privacy Bill
Disputed Ownership of a Twitter Handle