States, Congress Mull Bars to Employer Demands For Passwords; Maryland Law Is Nation's First

From Capitol Hill to statehouses across the country, federal and state lawmakers are scrambling to introduce legislation to bar employers, and sometimes also educational institutions, from demanding the social media or other passwords of employees, job applicants, and/or students.

Maryland Gov. Martin O'Malley (D) May 2 signed the nation's first law regulating employer demands that employees or prospective employees disclose their “user name, password, or other means for accessing a personal account or service through an electronic communications device.”

The law will take effect Oct. 1.

‘Legislative Groundswell.’

Other states could follow in Maryland's footsteps. Legislation to limit employer requests for social media or other online passwords is pending in at least eight other states.

There is a “legislative groundswell in favor or protecting personal electronic media accounts,” Mark Poerio, an employment law partner with the Washington offices of Paul Hastings, told BNA in a May 4 email.

Employers, he said, “should take note that the Maryland Law and similar proposals generally distinguish between the personal accounts of employees and those connected to the employer's business.”

If employees “are or will be using social media for work-related purposes, employers should be vigilant to position themselves to protect their interests in the employer's website and related social media accounts.”

The Maryland law, he said, indicates that “employers have a legitimate business interest in preserving their rights to business-related electronic media accounts. The smartest employers will act preemptively to protect their trade secrets and key relationships, yet will be alert to public sensitivities and potential liabilities for pushing beyond the developing boundaries for employer action.”

Bill Introduced in Congress

Meanwhile, a bill (H.R. 5050) introduced in Congress April 27 would prohibit employers, institutions of higher education, and local elementary and secondary educational agencies from requiring or requesting that current or prospective employees and students disclose their user names, passwords, or any other means of access to their private email and social networking accounts.

Rep. Eliot Engel (D-N.Y.), the bill's sponsor, said it is intended to protect internet users' “digital footprints,” adding that a federal statute is needed to protect internet users nationwide.

The bill is cosponsored by Rep. Janice D. Schakowsky (D-Ill.) and has been referred to the House Committee on Education and the Workforce.

In Maryland: New Employee, Employer Rights

Under the Maryland law, employers may not discharge, discipline, or otherwise penalize an employee for refusing to disclose password information covered by the legislation; nor may they refuse to hire an applicant for such a refusal.

The law distinguishes between an employee's personal accounts and any “nonpersonal accounts or services that provide access to the employer's internal computer or information systems.” For the latter, an employer may require an employee to disclose user names and passwords.

The bill bars employees from downloading “unauthorized employer proprietary information or financial data to an employee's personal web site, an internet web site, a web-based account, or a similar account.”

The statute reserves an employer's right to conduct an investigation—based on the receipt of information about an employee's use of various types of websites for business purposes—to ensure “compliance with applicable securities or financial law, or regulatory requirements.”

Employers also retain the right to investigate an employee's actions with regard to the unauthorized downloading of employer proprietary information or financial data.

In House: Possible $10,000 Employer Civil Penalty

H.R. 5050 would make it unlawful for any employer to require or request that employees or job applicants give the employer “a user name, password, or any other means for accessing a private email account of the employee or applicant or the personal account of the employee or applicant on any social networking website.”

It would bar employers from discharging, disciplining, or discriminating against employees or job applicants who refuse to provide those access credentials.

Employers who violate the provision could be assessed a civil penalty of up to $10,000. The proposal would be enforceable by the Secretary of Labor, who could pursue an action to restrain violations.

The bill would create similar restrictions for institutions covered by the Higher Education Act, 10 U.S.C. § 1095(a), and the Elementary and Secondary Education Act, 20 U.S.C. § 1094.

Sens. Richard Blumenthal (D-Conn.) and Charles Schumer (D-N.Y.) in March called on the Justice Department and Equal Employment Opportunity Commission to investigate the legality of employer requests for passwords (11 PVLR 598, 4/2/12).

Multiple State Bills in the Wings

The Maryland statute was adopted in identical, companion bills, S.B. 433 and H.B. 964, and passed April 6 and April 7 in the Maryland Senate and House, respectively.

Employers in Illinois in most cases would be prohibited from asking employees or job applicants to turn over their social networking passwords under a bill (H.B. 3782) that passed the Illinois House March 29.

Delaware's Higher Education Privacy Act (H.B.309), was reported out of the Telecommunication Internet & Technology Committee May 3. It would restrict public or nonpublic academic institutions from requesting or requiring “that a student or applicant disclose any password or other related account information in order to gain access to the student's or applicant's social networking site profile or account by way of an electronic communication device.”

Delaware's Workplace Privacy Act (H.B. 308) would bar employers from requiring or requesting that employees or job applicants disclose “any password or other related account information in order to gain access to the employee's or applicant's social networking site profile or account by way of an electronic communication device.”

In California, workers, job applicants, students, and higher education institution applicants would not have to accede to employer or school official demands that they turn over their social media passwords under a bill ( S. 1349) reintroduced March 27 in the California Senate. However, a bill (A.B. 1844) amended April 26 in the Assembly would place similar restrictions on employers, but not educational institutions.

Similar measures are pending in:

• Michigan: H.B. 5523;

• Minnesota: H.F. 2963, H.F. 2982, and S.F. 2565;

• Missouri: H.B. 2060;

• New York: A.B. 2963, S.B. 6831, S.B. 6938, and S.B. 7077; and

• South Carolina: H.B. 5105.


For More Information

Full text of H.R. 5050 is available at

California: S. 1349, as amended and reintroduced, is available at A.B. 1844, as amended, is available at

Delaware: H.B. 309 is available at H.B. 308 is available at

Illinois: H.B. 3782, as amended and passed by the House, is available at

Maryland: S.B. 433 is available at H.B. 964 is available at

Michigan: H.B. 5523, as introduced, is available at

Minnesota: H.F. 2963, as introduced, is available at H.F. 2982 is available at S.F. 2565, as introduced, is available at

Missouri: H.B. 2060, as introduced, is available at

New York: A.B. 9654 is available at S.B. 6831 is available at S.B. 6938 is available at S.B. 7077 is available at

South Carolina: H.B. 5105, as introduced, is available at