Employers Should Tread Carefully in Asking For Facebook, Other Social Media Passwords

Bloomberg Law for HR Professionals is a complete, one-stop resource, continuously updated, providing HR professionals with fast answers to a wide range of domestic and international human resources...

By Rhonda Smith and Donald G. Aplin  


Asking job applicants to share their social media usernames and passwords could pose major legal, ethical, and public relations challenges for employers, various sources told BNA.

Facebook released a written statement March 23 objecting to employers asking applicants or employees for such information.

“In recent months, we've seen a distressing increase in reports of employers or others seeking to gain inappropriate access to people's Facebook profiles or private information,” Erin Egan, Facebook's chief privacy officer for policy, said in the statement. “This practice undermines the privacy expectations and the security of both the user and the user's friends. It also potentially exposes the employer who seeks this access to unanticipated legal liability.”

Egan suggested that the company would sue employers who asked employees for their Facebook passwords. According to the social networking giant, sharing or soliciting a Facebook password is a violation of its Statement of Rights and Responsibilities.

“As a user, you shouldn't be forced to share your private information and communications just to get a job,” Egan said. “And as the friend of a user, you shouldn't have to worry that your private information or communications will be revealed to someone you don't know and didn't intend to share with just because that user is looking for a job.”

A management attorney, however, was skeptical of Facebook's legal standing with regard to employers requesting passwords.

“It is not clear what kind of claim Facebook could assert against an employer,” said Philip Gordon, a shareholder with Littler Mendelson in Denver. “Facebook does not appear to have any cognizable damage when an employer accesses an applicant's Facebook page.”

“Data posted on social media sites like Facebook isn't really private, even on restricted pages,” Gordon added, because “dozens, and even hundreds, of 'friends' have access to that information.”

Moreover, Gordon said he has not heard about any employers requesting Facebook passwords. “Aside from what has been reported in the media, I am not aware of any employer who has asked an applicant for log-in credentials or who has a policy of doing so,” he told BNA March 26.

Senators Ask DOJ, EEOC to Examine Legality.

Regardless of how widespread the practice is, Reps. Ed Perlmutter (D-Colo.) and Patrick McHenry (R-N.C.) have said they plan to draft legislation to address the issue.

In addition, two U.S. senators recently asked federal agencies to address the legality of employers seeking workers' social media information. Sens. Charles Schumer (D-N.Y.) and Richard Blumenthal (D-Conn.) requested March 25 that the Department of Justice determine whether such requests from employers violate the Stored Communications Act or the Computer Fraud and Abuse Act, both of which in part address the unauthorized access, disclosure, or use of computers and computer networks.

“Requiring applicants to provide login credentials to secure social media websites and then using those credentials to access private information stored on those sites may be unduly coercive and therefore constitute unauthorized access under both SCA and the CFAA,” they said in a letter to Attorney General Eric Holder Jr.

In a similar letter to Equal Employment Opportunity Commission Chair Jacqueline Berrien, Schumer and Blumenthal said: “Facebook and other social networks allow users to control what information they expose to the public, but potential employers using login credentials can bypass these privacy protections. This allows employers to access private information, including personal communications, religious views, national origin, family history, gender, marital status, and age. If employers asked for some of this information directly, it would violate federal anti-discrimination law. We are concerned that collecting this sensitive information under the guise of a background check may simply be a pretext for discrimination.”

Blumenthal and Schumer are working on legislation that would restrict employer requests for social media and email passwords from prospective employees, the senators said in their statement.

At the state level, legislation pending in California, Illinois, Maryland, Minnesota, and New York would restrict employers' ability to require job applicants and employees to provide their online usernames and passwords as a condition of employment.

“Legislators need to be careful before imposing new legal restrictions. It seems easy to pass a law in response to a public outcry, but technology changes so quickly and who knows where this is going to go,” Gordon cautioned.

“The public might react differently if it turns out an employer might have prevented a workplace violence incident if it had been able to access an employee's restricted Facebook page with the employee's password.”

Not a Common Practice.

Lester Rosen, an attorney and chief executive officer of Employment Screening Resources, a pre-employment background screening firm in Novato, Calif., told BNA March 8 it is “fairly unusual” for employers to ask job applicants for usernames and passwords to access information about them online.

“I would assume it's more prevalent with employers that have a position with a high degree of scrutiny,” said Rosen, the first co-chair of the National Association of Professional Background Screeners, which was founded in 2003 and today represents 719 member firms.

Employment Screening Resources does not use social media sites to conduct pre-employment screening, Rosen said, because of “the high risk” involved with complying with the Fair Credit Reporting Act. “Also, as a screening firm, we are not investigators,” he added.

In addition, Rosen said that many job applicants would consider requests for their usernames and passwords to be “an extreme invasion of privacy,” akin to an employer saying it wanted to look in a person's house.

“In this current job market, particularly for the type of person who might be on Facebook or other sites, it would be hard to promote your employment brand and attract the type of talent you need,” Rosen said. He said an employer considering asking for social media log-in information would need to ask, “How is that going to play in the marketplace when we're competing for talent and most other firms aren't asking for that?”

Attorney Eric B. Meyer of Dilworth Paxson in Philadelphia said in a March 26 post in his “The Employer Handbook” blog that employers asking workers and applicants for their social media passwords “is most definitely the exception and not the rule.”

Is It Legal?

Attorney Tamara Russell, a partner at Barran Liebman in Portland, Ore., said that from a legal perspective it is OK for employers to request a job applicant's username and password. “No law prohibits you from asking for [this information],” she said. “But even though it's legal, there's always a question of is it very wise.”

Employers understand that accessing information online about job candidates or employees has legal implications, Tim Mazur, chief operating officer of the Ethics and Compliance Officer Association in Waltham, Mass., told BNA March 12.

“So just like with other types of discrimination they never write down [what they find] or make it part of the official procedure,” he said.

“People are breaking the rules,” Mazur added, “and as long as you don't write it down, you can get away with it.”

Attorney Marc Sheridan of Markus & Sheridan in Mount Kisco, N.Y., said employers that use social media to conduct background checks on employees or job applicants are “playing with fire” because they are likely to find pictures on such sites that reveal a person's race, gender, age, and religious affiliations, among other legally protected characteristics.

“Those issues can lead to a claim for disparate treatment regarding hiring,” Sheridan told BNA March 12.

Also, Sheridan said, asking a job candidate or employee to provide a username and password could violate the social media site's requirement.

Russell and Rosen pointed out that employers in California, Colorado, and New York are prohibited from taking action based on an employee's off-duty conduct. “Employers in those states have to be particularly careful when they do those searches,” Russell said.

Mazur suggested that human resources practitioners challenge managers in their workplaces “to honor the spirit and letter of these laws and regulations” related to the use of social media sites to gather information about job candidates.

“I've seen examples where people will make a decision on whether or not to hire based on someone's Facebook page--if they have one or not,” he said.

Not having a Facebook page might lead a hiring manager to conclude that the job candidate is behind the times, Mazur said, though it could actually mean that the job candidate is being stalked by an ex-boyfriend and wants to protect her identity.

Suspect Information.

Mazur recommends that employers not use information obtained from a social media site as a major criterion by which to decide whether to hire the person.

“Gathering information online should be something that happens at the end of the hiring process, not at the beginning,” he said.

Rosen would agree. “The later in the process you see this information the more protection an employer has,” he said. “We advise clients to wait until there's been a bona fide job offer so there can be no inference that the employer was making a decision based on impermissible criteria. That gives you the most protection.”

Another challenge employers face when using social media to learn about a job candidate is that the information an employer finds online might be erroneous or incomplete, Mazur said.

“Companies need to think about the ethical repercussions of looking at that information and the culture of the company they want to create,” said Angela Bosworth, vice president of compliance and general counsel for EmployeeScreenIQ, an employment screening company in Cleveland, Ohio, that does not use social media to gather background information on candidates. “If employees feel that their privacy rights are being compromised it doesn't create the best culture.”

Gordon said that employers might not want to engage in the practice of viewing job applicants' social media sites for several reasons, including “bad press and word of mouth, the potential unreliability of information on social media sites, the irrelevance of the information, the wasted time and effort, and the potential collection of information that cannot be legally collected under laws like the Genetic Information Nondiscrimination Act, and the potential collection of information that cannot be legally relied upon under the Americans with Disabilities Act and other anti-discrimination laws.”

On the other hand, “in the 'non-cyber' world, employers can lawfully interview family members and friends of an employee as part of the application process,” he said. “If those people refuse to provide information to the employer, I am not aware of any legal restriction on the employer's not hiring the applicant. Similarly, if the applicant refuses to provide the names of friends and family members to be interviewed, the employer can refuse to hire without legal liability.”

By Rhonda Smith and Donald G. Aplin  

Text of the letter to Holder is at http://op.bna.com/pl.nsf/r?Open=dapn-8srn3p. Text of the letter to Berrien is at http://op.bna.com/pl.nsf/r?Open=dapn-8srn4y.

Request Bloomberg Law for HR Professionals