(We're pleased to have a guest post by Tom O'Toole, Managing Editor of  Bloomberg BNA's Electronic Commerce & Law Report and contributor for our E-Commerce & Tech Law Blog. You can also follow him on Twitter @tjotoole)

Several sharp lawyers at DLA Piper put out a client alert this morning pointing out all of the loopholes ("exceptions" is the word they used) in Maryland's first-in-the-nation attempt to regulate the circumstances under which employers can demand access to online accounts held by employees and prospective employees.

When the Maryland law was first introduced I wrote it off as typical front-running by political officials, and did not read it closely. DLA Piper's lawyers did and so, after I read their article, did I. What a mess.

From the DLA Piper article, here are five exceptions to the Maryland law followed by a few comments of my own.

1. An employer may conduct an investigation to ensure compliance with securities and financial regulations.  

2. An employer may conduct an investigation into misappropriation of proprietary information.  

The authors of the DLA Piper article seem to believe that the investigations permitted by the law must be triggered by the receipt of information that the employee himself is engaged in possible unlawful activities. That's a plausible reading. However, the drafter's language also supports a broader interpretation.

The law states, at Section 3-712(E)(1), "based on the receipt of information about the use of [an online account or service] by an employee," the employer may conduct an investigation for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements;"

To me, "by an employee" means any employee, and the investigation authorized by the statute is not limited to that particular employee.

Similarly, at Section 3-712(E)(2), the law provides that "based on the receipt of information about the unauthorized downloading [of proprietary data] by an employee," the employer is not prevented from "investigating an employee's actions  ...."

Here again, the person whose conduct may be investigated is not necessarily the same person who allegedly committed the unauthorized act. It seems perfectly reasonable to me to read the law as permitting an investigation of all employees based on information regarding a single but different employee.

The DLA Piper attorneys also assume that investigations permitted by the law can include demands for access credentials to personal online accounts. That may be but the law doesn't specifically provide for access to online account credentials. It merely states that "investigations" may be conducted.

3. An employer may demand that an employee turn over credentials used to access the employer's own computer network.  

Clearly. This part of the law, at Section 3-712(B)(2), must have been inserted out of an abundance of caution because it seems clear that employers already enjoyed this right. Subject, of course, to common law privacy protections and possibly, in the criminal context, constitutional protections against compelled self-incrimination.

4. An employer may demand that an employee turn over credentials used to access nonpersonal accounts, including social media accounts such as Twitter or LinkedIn that are used in connection with the employer's business.  

The Maryland law provides, at Section 3-712(B)(2), that "an employer may require an employee to disclose any user name, password, or other means for accessing nonpersonal accounts or services through an electronic communications device."

Who defines the line between a "personal" and "nonpersonal" website? Between "personal" and "nonpersonal" accounts? The Maryland law uses both of these terms several times, defining neither of them. This creates a large opportunity for lawyers to step in and narrow the reach of the law. Devices that belong to the employer fall easily into the "nonpersonal" category, so those would be afforded no protection under the Maryland law.

Employers may deem it wise to define employee-owned devices as those that are used to access employer-owned networks as "nonpersonal," further restricting the protections of the law.

Employers may deem it wise to define as "nonpersonal" any online account that is tied to an employer-owned email address or is used to further the employer's business interests (Twitter, LinkedIn) or one that even mentions the employee's connection with the employer.

Right now a well-written computer use policy goes a long way toward defining an employee's privacy rights. This provides a great opportunity for employers to blunt the impact of feeble laws like Maryland's. The New Jersey Supreme Court's ruling in Stengart v. Loving Care Agency Inc., 201 N.J. 300 (N.J. 2010), nominally a "win" for the plaintiff in that she prevented her employer from accessing email messages to her attorney, demonstrates the extent to which a well-crafted workplace computer use policy can be used to restrict (or eliminate) "personal" communications during workplace hours. Some courts may pick holes in computer network policies, but they embrace the idea that these policies can be used to define privacy rights in the workplace.

5. An employer may request an "over the shoulder" view of the contents of an employee's online account.  

Too true. The Maryland law protects credentials that are used to access an employee's online account, not the information that is contained in the online accounts. Since the purpose of the law presumably was to protect against employers who wanted to rummage through an employee's personal information without cause, one might reasonably think that the law should focus on access or on the information itself. No such luck.

Elsewhere in the Maryland law, for reasons that I do not understand, the drafters decided to use the narrow, undefined term "download" instead of the more familiar term "access" to describe an employee's interaction with a computer network.

Maryland's computer crime statute, Md. Code, Criminal Law, Section 7-302, uses and defines the term "access." The federal Computer Fraud and Abuse Act, 18 U.S.C. Section 1030, also uses the term "access" to describe interactions with, and taking information from, a computer network.

Not the Maryland law. It uses the term "download" and then, of course, neglects to define it. What if an employee emails proprietary information to himself? Is that a "download?" Or copies information to a thumb drive? Is that a "download?" Who knows. Furthermore, why does is the law tied to electronic communications? If an employee walked out of the office with paper documents containing proprietary information, shouldn't that trigger an employer's right to investigate?

While the CFAA can be plausibly interpreted to forbid "over the shoulder" access to information displayed on a computer screen, the Maryland law cannot. As the DLA Piper article points out, there seems to be nothing to prevent an employer from demanding an "over the shoulder" look at an employee's online account. 

Additional Griping  

There is also an inexplicable inconsistency in how the Maryland law describes which acts are forbidden by the law.

Proposed Section 3-712(D) provides that "an employee may not download unauthorized employer proprietary information ...." The term "unauthorized" is an adjective modifying the noun "employer proprietary information." I have no idea what "unauthorized employer proprietary information" might be.

True to form, these terms are not defined in the law.

At a different part of the law, the term "unauthorized" pops up again, this time as an adverb modifying the term "downloading." At Section 3-712(E), the law provides that an employer is not prevented from investigating an employee's actions "based on the receipt of information about the unauthorized downloading of an employer's proprietary information ...."

So we have both "unauthorized downloading" and "downloading unauthorized employer proprietary information." It's disappointing that the law's drafters were so loose with their use of key terms.

Another oddball feature: the law protects accounts and services but not electronic devices themselves, so there seems to be nothing in the law that would prevent an employer from demanding access credentials to an employee's electronic device -- personal or nonpersonal -- or from demanding access to the device itself. Tough language in the "bring your own device" section of an employer's computer use policy should be able to sew things up tight here.

Yet another curious aspect of the Maryland law is that the "protections" it provides extend not just to social networking websites but to any sort of online account or website used by an employee.

Finally, the law has a kind of "reverse domain name hijacking" feel to it. It's not clear how the law will, if ever, intrude upon reality. The law contains no private remedy, nor is authority for enforcement delegated to a state agency. It's not clear how an employee or prospective employee could claim the law's protections in the event of discipline or denial of a job opportunity. If anything, the law seems to be most effective at shoring up the authority that employers already have under current law and under their current computer use policies.

The Maryland law goes into effect on Oct. 1, 2012.

Other state bills on the same topic are under consideration in California, Delaware, New Jersey, New York, Illinois and Michigan, and they are all linked-to at the bottom of the DLA Piper article. These laws can't be described as similar to Maryland's -- they're written much more narrowly and sensibly. They haven't passed yet either.