Password Protection Laws

September 12, 2014

In 2012, Maryland became the first state to prohibit employers from requiring employees or job applicants to provide passwords to their personal social media accounts. Since then, the trend for states to limit employers’ access to personal online content has been accelerating. There are now 17 states that have enacted such laws, with at least 11 more and the federal government considering doing the same.

Each state law is different, which makes it especially important for multi-state employers to craft policies that take variations in the laws into account. In general, password-protection laws prohibit employers from requiring or requesting that employees or applicants divulge their passwords or other means of accessing their personal social-media accounts, including email and instant messaging. Beyond that basic prohibition, the laws diverge.

Some, but not all of the password-protection laws also prohibit an employer from requiring employees or job applicants to –

“Friend” the employer;
Log onto their accounts themselves and then let the employer read the accounts’ contents over their shoulders; or
Tell the employer what social-media accounts they have.
Some state laws also provide exceptions to the prohibitions when account access is necessary for workplace investigations.

Here are a few of the features of the three newest state laws:

The Rhode Island law –

Considers social-media accounts created by the employer or intended to be used primarily on the employer’s behalf exceptions to the general prohibitions;
Allows aggrieved employees and applicants to file civil suits against the employer and to seek compensatory and punitive damages; and
Contains narrow exceptions to protect employers’ legitimate business interests.
The Oklahoma law –

Allows aggrieved employees and applicants to file civil lawsuits within six months of the alleged violation;
Limits protected accounts to those used “exclusively” for personal communications;
Allows employers to access employees’ accounts if the employees themselves access the accounts on the employers’ computer system, network or device; and
Contains broad exceptions for workplace investigations.
The Louisiana law –

Does not apply to accounts used for the employer’s business purposes or for business-related communications;
Prohibits employers from even threatening to penalize employees or applicants for refusing to disclose their login information;
Explicitly states that employers are permitted to access information about employees and applicants that is publicly available;
Does not prohibit employees or applicants from disclosing their login information to the employer themselves; and
Does not explicitly provide for private lawsuits.
In general, employers should —

Review hiring practices to ensure that they are in compliance with the applicable state password-protection laws;
Incorporate the password-protection laws into their social-media policy; and
Train employees involved in internal investigations on the restrictions on access to personal social-media accounts.

Reprint and thanks to: 9/10/2014b Marjorie Richter | WeComply, a Thomson Reuters business