Williams Mullen Issues Legal Alert For Maryland Employers on Social Media Privacy of Employees

Share Article

How Maryland’s User Name and Password Privacy Protection Law Will Affect Your Business

Should Governor O’Malley sign the new legislation into law, employers with business operations or employees in Maryland should undertake a thorough review of their hiring and employment policies.

For Maryland Employers the Password is Privacy:
How Maryland’s User Name and Password Privacy Protection Law Will Affect Your Business


The Maryland General Assembly recently adopted legislation (SB 433/HB 964) that would prohibit Maryland employers from conditioning hire or continuation of employment upon an applicant’s or employee’s disclosure of any user name, password, or other means for accessing an online personal account such as Facebook or Twitter. The law will take effect on October 1, 2012 if signed by Democratic Governor Martin O’Malley. As a general rule, it will prohibit Maryland employers from retaliating, or threatening to retaliate, against applicants and employees who refuse to provide access to their private media accounts. For example, an employer may not terminate or discipline an employee who refuses to provide the requested information. Similarly, an employer may not refuse to hire an applicant who refuses to provide the same.

After the effective date, Maryland employers will be permitted to demand access to an employee’s password-protected electronic media accounts solely to investigate information received by the employer that a particular employee:

1. Is using a personal website, internet website or web-based account to conduct business, and the purpose of the employer’s investigation is to ensure such employee’s compliance with applicable securities and financial laws and regulatory requirements;

2. Has conducted an unauthorized download of proprietary information or financial data belonging to the employer and the purpose of the investigation is to determine whether such unauthorized download has occurred.

The new law provides no exception where a Maryland employer receives information that the employee has misrepresented the company, portrayed the company or its managers and supervisors in a negative light, or committed a severe act of misconduct not within the scope of the express exemptions. Efforts to enact similar legislation are currently being made in Illinois, Minnesota, New York, and California.

Employers Demanding Access to Password-Protected Accounts May Face Other Liability

In March 2012, Facebook’s Chief Privacy Officer, Erin Egan, issued a statement that it is “a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.” Facebook urged its users not to share their password with prospective or current employers, and vowed to “take action to protect the privacy and security of [its] users, whether by engaging policymakers, or, where appropriate, by initiating legal action.”    

Ms. Egan correctly noted that employers who seek password-protected information may generate unexpected liability. For instance, an employer may open itself up to alleged violations of Title VII if a prospective applicant can show that the employer refused to hire him or her on the basis of a protected characteristic (e.g., age, race, marital status, national origin, etc.) that the employer learned about by visiting the applicant’s social media page. In addition, employers who obtain information by perusing an applicant’s webpage may trigger obligations to report or preserve certain types of information (e.g., criminal activity).

In addition to Ms. Egan’s concerns, if an employer discovers negative information about a prospective employee through a social media search and still opts to employ that candidate, the employer may be liable if the employee later harms a co-worker, customer, or other third party, and the employer could have foreseen that harm based on the information that it obtained.

The possibility of criminal liability for employers that require login information to secure social media websites cannot be discounted. Two Democratic U.S. Senators, Charles Schumer of New York and Richard Blumenthal of Connecticut, have requested that the Department of Justice and the Equal Employment Opportunity Commission investigate whether requiring job applicants to provide this information can constitute unauthorized access in violation of two federal laws.

Specifically, the Senators believe employers that require login information may violate the Stored Communications Act (“SCA”), 18 U.S.C. § 2701, and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C). The SCA prohibits intentional access to electronic information without authorization or intentionally exceeding that authorization, and the CFAA prohibits intentional access to a computer without authorization to obtain information.

Recommended Actions

Should Maryland Governor O’Malley sign the new legislation into law, employers with business operations or employees performing services in Maryland should undertake a thorough review of their hiring and employment policies and practices to ensure compliance with Maryland’s new User Name and Password Privacy Protection law. The employment application should also be reviewed to ensure that applicants are not required to disclose information protected under the legislation. However, there is no requirement to notify applicants and employees of their rights under the new law.

If you have any questions about this topic, please contact Mary Pivec at (202) 293-8128 or [email protected], Ashley Winsky at (757) 473-5316 or [email protected] or any member of the Williams Mullen Labor & Employment Team.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Kristin Richardson
Williams Mullen
(804) 420-6309
Email >
Follow us on
Visit website