Recent media stories report increases in employer requests for personal information such as social media passwords from potential or existing employees. 
has reported on employers asking applicants for their W-2 forms;
recently discussed the ethics of employee background checks, and Facebook issued a
in March “condemning employers who ask job applicants for access to their profiles on the social media site.”


Maryland recently became the first U.S. state to
employers from asking employees and job applicants for their social media account passwords. The legislation was drafted in response to a
involving a Maryland corrections officer whose employer asked for his Facebook password to check for gang activity. U.S. Sen. Amy Klobuchar (D-MN) introduced similar federal legislation in May. Illinois’ governor recently signed similar legislation, and bills are pending in nine additional U.S. states, according to Littler Mendelson’s Philip Gordon, an expert in workplace privacy issues.


Gordon recently co-authored “
,” asserting that the media frenzy surrounding a few incidents caused a knee-jerk reaction among legislators, unnecessarily exposing private employers to liability.


In this exclusive for
The Privacy Advisor,
Gordon discusses reasonable boundaries for employers to follow when it comes to requesting applicant or employee information.


The Privacy Advisor:
What are your thoughts on employers asking for W-2 forms from employees?


Gordon:
I haven’t had a client ask me whether they could ask applicants to provide a W-2 other than a few clients participating in a program that provides tax incentives to employers who hire individuals with historically low incomes. My principal concerns would be twofold. First, the W-2 is going to have the SSN on it. As a general rule, it’s best practices for employers not to collect SSNs from applicants before making a job offer to reduce the risk of a security breach involving applicants’ information. Utah actually has a law that prohibits employers from requesting SSNs before making an offer of employment, except when needed to conduct a background check.


My secondary concern would be discrimination on the basis of prior unemployment status. The District of Columbia has made it illegal to discriminate on this basis, and similar bills are pending in 10 states and in Congress. A W-2 could suggest the applicant was unemployed by showing an income of only a few thousand dollars for the prior year. An employer might be tempted to ask, “Well, your W-2 shows you earned only $3,000 last year; have you been working?”


The Privacy Advisor:
What about managers accessing employees’ personal information that is publicly available on social networking sites?


Gordon:
Managers are not prohibited by social media password protection laws from accessing publicly available information, but there is still risk because a manager could acquire information that is unlawful to rely on for employment decisions. For example, an employee might post on his Facebook page that his child has leukemia, and he is exhausted because he was up all night with his child after a chemo session. The fact that the employee’s child has leukemia is genetic information that an employer cannot lawfully rely on to make an employment decision. Or, a social media site might reveal an applicant’s age that was not previously known, exposing the employer to a claim of age discrimination. The way to mitigate this risk is to have someone act as a filter between the employer’s decision-maker and the social media content. So, for example, an employer could have recruiters go to social media sites looking for prospects and for information about prospects but  specifically instruct the recruiters on the types of information not to collect and not to pass on to decision-makers.


The Privacy Advisor:
What about managers accessing employees’ or applicants’ personal information on restricted social networking sites?


Gordon:
The social media password protection laws recently enacted in Illinois and Maryland and the media attention that preceded them have shined a spotlight on this issue. I think the media and state legislators are overreacting. In a study published by Littler Mendelson in June, 99 percent of respondents, which included C-suite executives, corporate counsel and human resources professionals, stated that their organizations do not request social media credentials in the hiring process.


As far as current employees are concerned, an employer can have a legitimate reason for requesting social media login credentials. For example, I just recently counseled a client in a situation where an employee told HR that a coworker had posted threatening content about other employees on her Facebook page. An employer can fully evaluate a report like that only by seeing the actual content and context. The report itself could be false, or the context might show that the employee is just blowing off steam. Regardless, the July shootings in Aurora are a tragic reminder that employers have a serious need to investigate threats of workplace violence as well as other suspected workplace misconduct.


The Privacy Advisor:
We have seen reports of employers hiring background-check companies to conduct “social media checks” on applicants. What are the risks for employers there?


Gordon: 
Relying on a third-party service to check applicants’ social media content can be useful because a specialized service might be able to find information that the employer couldn’t and can screen information that an employer can’t lawfully rely on for employment decisions. But then the employer would be conducting a background check subject to the Fair Credit Reporting Act (FCRA). The FCRA says if an employer relies on a third-party consumer reporting agency to assemble information about employees and job applicants to create a report that will be used to make employment decisions, the employer has to follow certain procedures. Those procedures are providing notice to the subject of the report that a report is being obtained and having the subject sign an authorization for the consumer reporting agency to share the report with the employer. If the employer decides to take adverse action based in whole or in part on the report, the employer needs to send a pre-adverse action notice to the applicant or employee, which includes a copy of the report and a copy of the FTC’s “Summary of Your Rights under the FCRA.” Then the employer has to wait a reasonable amount of time, usually five business days, before sending the final adverse action notice, which includes certain required information.


The Privacy Advisor:
What about Googling prospective or current employees?


Gordon: 
AGoogle search can legally be made. An employer does not have to comply with the FCRA when it conducts a Google search internally because the FCRA applies only when the employer relies on a consumer reporting agency to compile information about an applicant or employee. The employer may or may not be able to rely on the information returned by the search. For example, the Google search result could include media reports about an applicant’s recent arrest for suspected drug dealing. State and federal laws, however, can impose restrictions on an employer’s use of arrest records for employment decisions. The list of information that employers may not be able to lawfully rely on, depending on the circumstances and applicable state law, seems to get longer by the day. Credit history, unemployment status and genetic information—which federal law broadly defines to include any information about the manifestation of a disease or disorder in a family member—are three relatively recent additions to the list of more well known categories such as race, ethnicity, disability, age, gender and sexual orientation.


The Privacy Advisor:
Any general thoughts you’d like to share on the topic?


Gordon:
I think because of the recession, state legislators have substantial sensitivity to wide-ranging inquiries, and they are expressing a significant desire to restrict employers’ ability to collect information about applicants and employees that state legislators do not believe is job-related. For example, we’re now up to eight states that have imposed restrictions on employers’ collection of credit information about applicants. The view in most of these states is that an applicant’s credit capacity generally is not relevant to the applicant’s ability to perform the job, though all of the laws have exceptions. Social media password protection laws seem to be driven by the same underlying premise. The idea is that both laws are necessary to prevent employers from collecting information they are not lawfully allowed to rely on to make employment decisions. There are many people who have been out of work for a long time, not because they aren’t diligent or good workers or eager to get a job, just because, particularly in some geographic areas, it’s very difficult to get a job. I think lawmakers are concerned that information that is not job-related should not impede the ability of someone to get a job. As long as unemployment rates remain high, we can expect the states to enact more laws that impose limits on employers’ collection of information about job applicants and employees.