Maryland "Facebook Law" Raises New Obstacles For Employers Vetting Applicants And Investigating Employees, But With Important Exceptions

The momentum in the media made it almost inevitable: the first state law to expressly restrict employers from asking applicants and employees for social media account log-in credentials has been passed. Not surprisingly, Maryland, where the issue first burst onto the scene in April 2011, wins the “honor.” However, Maryland likely has opened the floodgates. Bills currently are pending in California, Illinois, Minnesota, New Jersey, and Washington. Employers seeking to understand the implications of the Maryland law must look beyond the blaring headlines to the details of the statute.

To begin with, the law’s general prohibition is both broad and narrow. Effective October 1, 2012 (assuming the Governor signs the law), employers are prohibited from requiring, or even asking, that applicants or employees disclose “any means for accessing,” such as a user name or password, for “any personal account or service” accessed through “computers, telephones, personal digital assistants, and other similar devices.”  In other words, the prohibition extends far beyond Facebook and other social media sites to include personal e-mail accounts, personal online banking accounts, and any other online communications or service account.

The Maryland law prohibits an employer from taking or threatening any form of adverse action based on an employee’s or applicant’s refusal to provide a user name or password to a personal account accessed through a communications device. An employer cannot discharge, discipline or otherwise penalize an employee. An employer cannot reject an applicant for engaging in the protected conduct.

Notably, the Maryland law contains no enforcement provision. The law does not authorize applicants or employees to sue. The law does not even delegate authority to the Maryland Department of Labor, Licensing and Regulation, or any other government agency, to enforce it. It is possible that an employee terminated in violation of the law might have a claim for wrongful discharge in violation of public policy. However, because that claim typically applies only to discharge, it is unclear whether an employee who is disciplined short of discharge would have a claim. It also is uncertain whether an applicant who is denied employment in violation of the law would be able to assert a claim.

While the law seems overly broad at first blush, it is critical for employers to understand the types of conduct that the law does not prohibit. Some of these exceptions are expressed in the statute itself; others are implicit.

  1. Access To Employer’s Internal Systems: The law expressly permits employers to require that employees disclose log-in credentials “for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.” In other words, employees cannot rely on the law to prevent employers from gaining access to information stored on the employer’s own information systems.
  2. Violations Of Securities Or Financial Laws, Or Regulatory Requirements: If an employer receives information that an employee is using a personal online account for business purposes, the law “does not prevent” an employer from conducting an investigation to ensure that the employee is complying with “securities or financial law, or regulatory requirements.” This exception appears intended to apply in a situation where an employee of a financial services company uses a personal online account to trade securities or engage in other financial transactions on the employer’s behalf.
  3. Protection Of Trade Secrets: If an employer receives information that an employee has downloaded the employer’s proprietary information, without authorization, to a personal online account, the law “does not prevent” an employer from conducting an investigation into such suspected misconduct.
  4. Passwords To Devices: While the Maryland law bars employers from requesting log-in credentials for “accessing a personal account or service,” the law does not prohibit employers from requesting or requiring log-in credentials to access an employee’s personal device, such as a smartphone or tablet. This distinction is critical as employers increasingly are implementing “Bring-Your-Own-Device” policies.
  5. Nonpersonal Accounts: The law protects log-in credentials only for “personal” accounts. Maryland employers should clearly define which accounts are personal and which are nonpersonal. For example, if an employee uses a corporate e-mail address to establish a LinkedIn profile or Twitter account, the employer should ensure that employees know from the outset that such an account is “nonpersonal” for purposes of the Maryland law.

Because the Act’s restrictions on its face arguably apply only to the disclosure of log-in credentials, it remains to be seen through judicial interpretation whether the Act’s restrictions bar an employer from, for example, asking an employee or applicant to log into a personal account without disclosing the log-in credentials to the employer so the employer can observe the content of the personal account or asking an employee or applicant to print the content of a personal account. Before an employer chooses this route, they should speak with their employment counsel to educate themselves about the legal risks of doing so. While Maryland is the first jurisdiction to enact this legislation, it is not likely to be the last. Indeed, bills proposing similar restrictions currently are pending in various states, including but not limited to California, Illinois, Minnesota, New York, and Washington. In addition, U.S. Senator Richard Blumenthal (D–CT) has stated his plan to introduce similar legislation "in the very near future."

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.