![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The momentum in the media made it almost inevitable: the first state law to expressly restrict employers from asking applicants and employees for social media account login credentials has been passed. Not surprisingly, Maryland, where the issue first burst onto the scene in April 2011, wins the “honor.” However, Maryland likely has opened the floodgates. Bills currently are pending in
. Employers seeking to understand the implications of the Maryland law must look beyond the blaring headlines to the details of the statute.
To begin with, the
. Effective October 1, 2012, assuming the governor signs the law, employers are prohibited from requiring, or even asking, that applicants or employees disclose “any means for accessing,” such as a username or password, for “any personal account or service” accessed through “computers, telephones, personal digital assistants and other similar devices.” In other words, the prohibition extends far beyond Facebook and other social media sites to include personal e-mail accounts, personal online banking accounts and any other online communications or service account.
The Maryland law prohibits an employer from taking or threatening any form of adverse action based on an employee’s or applicant’s refusal to provide a user name or password to a personal account accessed through a communications device. An employer cannot discharge, discipline or otherwise penalize an employee. An employer cannot reject an applicant for engaging in the protected conduct.
Notably, the Maryland law contains
no
enforcement provision. The law does not authorize applicants or employees to sue. The law does not even delegate authority to the Maryland Division of Labor and Industry, or any other government agency, to enforce it. It is possible that an employee terminated in violation of the law might have a claim for wrongful discharge in violation of public policy. However, because that claim typically applies only to discharge, it is unclear whether an employee who is disciplined short of discharge would have a claim. It also is uncertain whether an applicant who is denied employment in violation of the law would be able to assert a claim.
While the law seems overly broad at first blush, it is critical for employers to understand the types of conduct that the law does
not
prohibit. Some of these exceptions are expressed in the statute itself; others are implicit.
- Access To Employer’s Internal Systems: The law expressly permits employers to require that employees disclose login credentials “for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.” In other words, employees cannot rely on the law to prevent employers from gaining access to information stored on the employer’s own information systems.
- Violations of Securities or Financial Laws or Regulatory Requirements: If an employer receives information that an employee is using a personal online account for business purposes, the law “does not prevent” an employer from conducting an investigation to ensure that the employee is complying with “securities or financial law or regulatory requirements.” This exception appears intended to apply in a situation where an employee of a financial services company uses a personal online account to trade securities or engage in other financial transactions on the employer’s behalf.
- Protection of Trade Secrets: If an employer receives information that an employee has downloaded the employer’s proprietary information, without authorization, to a personal online account, the law “does not prevent” an employer from conducting an investigation into such suspected misconduct.
- Passwords to Devices: While the Maryland law bars employers from requesting login credentials for “accessing a personal account or service,” the law does not prohibit employers from requesting or requiring login credentials to access an employee’s personal device, such as a smartphone or tablet. This distinction is critical as employers increasingly are implementing “Bring-Your-Own-Device” policies.
- Nonpersonal Accounts: The law protects login credentials only for “personal” accounts. Maryland employers should clearly define which accounts are personal and which are nonpersonal. For example, if an employee uses a corporate e-mail address to establish a LinkedIn profile or Twitter account, the employer should ensure that employees know from the outset that such an account is “nonpersonal” for purposes of the Maryland law.
- “Shoulder Surfing”/Printing: Because the Act’s restrictions on their face arguably apply only to the disclosure of log-in credentials, it remains to be seen through judicial interpretation whether the Act’s restrictions bar an employer from, for example, asking an employee or applicant to log into a personal account without disclosing the log-in credentials to the employer so the employer can observe the content of the personal account or asking an employee or applicant to print the content of a personal account. Before an employer chooses this route, they should speak with their employment counsel to educate themselves about the legal risks of doing so.
