By Eric Matusewitch, PHR, CAAP
Imagine you’re interviewing for a paralegal position. Your resume is polished. Your answers are crisp. The questioner seems impressed. Before the meeting is over, though, you’re asked to hand over your Face book username and password.
Sounds implausible, but it could happen. Recent reports of employers requesting that applicants turn over their social media passwords have grabbed headlines in Forbes, Fox News, CNN, and on many other media outlets and blogs. While this relatively new practice may aid employers in screening job applicants, it may also lead to legal challenges under various federal and state statutes.
No Law Prevents Asking for Passwords
No federal law prevents an employer from asking for an employee’s password to his or her social media websites. Legislation, though, has been introduced in Congress to address the issue. In March 2012, the House of Representatives rejected an amendment to the Federal Communications Commission Process Reform Act of 2012 (H.R. 3309) that would permit the Federal Communications Commission to enact rules prohibiting telecommuting companies from requiring job seekers to disclose passwords for social networking sites. One month later, the House also rejected an amendment to the Cyber Intelligence Sharing Protection Act (H.R. 2353), which similarly bars employers from demanding Face book and other social media passwords from applicants and employees.
Most recently, in February 2013, Representative Elliot Engel (D-NY) reintroduced stand-alone legislation – the Social Networking Online Protection Act (SNOPA, H.R. 537). SNOPA would make it unlawful for employers and institutions of higher education to require or request user names, passwords, or any other means for accessing private email accounts or personal accounts on any social networking website. The bill, which would subject employers to a civil penalty of not more than $10,000, was referred to the Committee on Education and the Workforce.
Privacy of FB Posts
Employers who request applicants’ and employees’ login information may be in violation of the Stored Communication Act (SCA) or the Computer Fraud and Abuse Act (CFAA). The SCA prohibits intentional access to electronic information without authorization or intentionally exceeding authorization to access electronic information, and CFAA prohibits intentional access to a computer without authorization to obtain information.
In 2013, a New Jersey federal district court held that an employee’s face book wall posts were protected by the SCA. An important factor in the court’s ruling was the fact that the employee had configured her privacy settings to restrict her posts to her Facebook “friends.”
In this case, a paramedic working for a hospital made an alleged inappropriate post on her password protected Facebook account. The post was forwarded by the paramedic’s Facebook friends to management who disciplined the paramedic because of the post. Subsequently, the employee filed a lawsuit claiming the management violated the SCA and the common law invasion of privacy tort.
While the court granted summary judgment in favor of hospital management because management had not solicited the post, it found that “when users make their Facebook wall posts are ‘configured to be private’ for purposes of the SCA. The Court notes that when it comes to privacy protection, the critical inquiry is whether Facebook users took steps to limit access to the information on the Facebook walls.” The decision has been hailed as a huge victory for privacy because it recognizes that employers may not require employers to turn over their digital user names, passwords or password protected digital content.
Furthermore, on March 26, 2012, Senators Richard Blumenthal (D-CT) and Charles Schumer (D-NY) sent letters to the U.S. Department of Justice and the U.S. Equal Employment Opportunity Commission calling on those agencies to investigate whether the practice of asking for Face book passwords during job interviews violates the SCA or the CFAA. In a press statement to accompany the release of those letters, Schumer said: “Employers have no right to ask job applicants for their house keys or to read their diaries – why should they be able to ask them for their Facebook passwords and gain unwarranted access to a trove of private information about what we like, what messages we send to people, or who we are friends with?” (The DOJ had not issued an opinion as of February 2014.)
In addition, requiring the disclosure of social media passwords of job applicants and employees opens the door to potential discrimination charges under federal and state civil rights laws. Job bias statutes such as the Age Discrimination in Employment Act (ADEA), the Americans with Disabilities Act (ADA), and Title VII of the Civil Rights Act of 1964, prohibit an employer from making employment decisions based on factors like age, race, sex and physical condition—all things which, most likely would be readily revealed by even a quick perusal of a potential employee’s Facebook page. So, for example, if an employer used Facebook to discover that an applicant is being treated for cancer and rejects the job seeker for that reason, the employer would be susceptible to a discrimination claim under the ADA and parallel state and local statutes.
State legislatures have also jumped into this fray. In April 2012, Maryland became the first state to enact legislation prohibiting employers from asking prospective and current employees for access to password-protected material on their personal social media accounts. Since then 12 other states (Arkansas, California, Colorado, Illinois, Michigan, New Jersey, Nevada, New Mexico, Oregon, Utah, Vermont and Washington) have passed similar statutes. These laws generally prohibit employers from requesting or requiring job applicants or employees to:
- Share their social media account names and passwords with the employers;
- Log into their social media account(s) in the employer’s presence so that the employer can view the account (“shoulder surfing”); and
- Befriend them on social media to gain access to their respective profiles.
These state laws also prohibit employers from retaliating or threatening to retaliate against job applicants or employees who refuse to comply with the employer’s request for access to an individual’s social media account. These statutes, however, carve out exceptions allowing employers to request an employee’s social media password when an employer is conducting an investigation into allegations of employee misconduct or illegal activity.
The enforcement procedures and penalties for violations of these statutes vary among the states. For example, Michigan, Utah and Washinton expressly provide a private right of action in the event of violation, although the other states are silent on this point. The penalty in Michigan is limited to $1,000 per occurrence, plus reasonable attorneys’ fees and costs. Utah caps awards at $500 per violation.
According to the National Conference of State Legislatures, as of February 6, 2014 similar bills had been introduced or were pending in at least 25 other states (including Florida, Georgia, Massachusetts, New York and Ohio).
Finally, employers who request or require that applicants and employees hand over their social media passwords must sidestep another minefield; social media websites’ terms of service. For example, section 4.8 of Facebook’s Statement of Rights and Responsibilities states “you will not share your password, let anyone else access your account, or do anything that might jeopardize the security of your account.” In a March 23, 2012 post on its website, Face book’s Chief Privacy Officer Erin Egan warned employers that Face book will “take action to protect the privacy and security of our users, whether by engaging policymakers, or where appropriate, by initiating legal action.”
Given the rapid legal developments in this area, employers should be extremely cautions about requesting or requiring an applicant’s or employee’s social media password(s). Many individuals currently live, or will soon live, in, “protected password” states. In addition, employers must be concerned that this practice may discourage otherwise qualified individuals from applying for job vacancies. Finally, asking employees or job applicants for their login information could generate negative media attention.
Eric Matusewitch, PHR, CAAP, is a member of the Montgomery County, Maryland Committee on Hate Violence (Office of Human Rights) and former deputy director of the New York City Equal Employment Practices Commission. He also taught courses on employment discrimination law for New York University and the Long Island University Paralegal Studies Program. Eric has written the Manager’s Handbook on Employment Discrimination Law (Andrews Publications, 2000). He was a member of the Advisory Boards of the Berkeley College Paralegal Studies Program and the New York City Paralegal Association. He holds Masters’ Degrees in Political Science and Library Science, and a Certificate in Paralegal Studies. He is certified as a Professional in Human Resources by the Society for Human Resource Management, and as an Affirmative Action Professional by the American Association for Affirmative Action. He may be reached at firstname.lastname@example.org.