MYOB about my Facebook Page!!  That is what the Maryland General Assembly said when it recently passed legislation barring employers from requiring employees or applicants to turn over passwords needed to access social media and other private websites.  Governor Martin O’Malley is expected to sign the bill, which will take effect on October 1, 2012.  As the Gazette and Baltimore Sun both point out, this law is the first of its kind to be enacted in the country.

The law bars employers from requiring or even requesting that an applicant or employee divulge his/her “user name, password, or other means for accessing a personal account or service through an electronic communication device.”  Employers may, however, require employees to divulge passwords for “nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.”  The law does not define what is a “nonpersonal” account nor does it make any exception to allow employers to demand access to personal accounts that are used to access work accounts.

Employers regulated by the U.S. Financial Industry Regulatory Authority (FINRA) were able to obtain an amendment that permits them to conduct investigations to ensure compliance with securities laws when the employer has information that personal web based accounts have been used for business purposes.  Another amendment prohibits employees from downloading company financial and proprietary data to personal web accounts and permits employers to investigate suspected downloading of such information.

But neither of the above exceptions expressly permits an employer to demand that employees disclose their passwords as part of such investigations (although we would hope that any court would find this to be implied by the amendments)!

Savvy employers already understand that employees and applicants are entitled to privacy and do not seek access to personal websites willy-nilly.  Indeed, Facebook has made clear in a blog posting that demands by employers to access non-public sites of applicants and employees violate the Company’s terms of use agreement.  As Facebook’s blog post states:

 

“We don’t think employers should be asking prospective employees to provide their passwords because we don’t think it’s the right thing to do.  But it also may cause problems for the employers that they are not anticipating.  For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person.”

 

The Maryland legislation fails to consider certain limited and legitimate reasons that employers might have that would require access to an employee’s personal web account.

  • For example, an employer that received a complaint that a supervisor was making racist remarks about subordinates on his Facebook page could not demand (or even request) access to that site as part of an investigation.

 

  • It is unclear whether an employer is permitted to monitor or have access to a Linkedin or Facebook account of an employee when he/she has been authorized by the company to use it for recruiting applicants or for marketing purposes.  This is because the law does not define what constitutes a “personal” account vs. a “nonpersonal” one.

 

These and other ambiguities in the legislation are why, as reported by the Gazette, Shawe Rosenthal lawyers worked with the Maryland Chamber of Commerce to oppose this bill.  However, now that the legislation has passed and will surely be signed by the Governor, employers will have to comply or face the consequences – hardly a LOL matter.