New Password Protection Laws In the Workplace

Print Friendly


Did you know that a new social media password protection law went into effect on October 1, 2013?  And, do you know that two more similar laws will go into effect December 1, 2013 and January 1, 2014?

These new laws apply to employers and employees in the states of Nevada, New Jersey, and Oregon, respectively.  Currently, there are at least thirteen states that have passed some version of so-called social media in the workplace password protection laws – including Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Mexico, Utah, Vermont and Washington.   Unfortunately, each new law impacts employers and employees slightly differently – just enough to make multi-state employers go crazy if such employers contemplate requesting employee social media passwords.  According to the National Conference of State Legislatures, in 2013, so far, password protection in the workplace laws have been introduced or is pending in 36 states.   And, 14 states introduced such legislation in 2012 when this topic first gained national attention.  Ultimately, however, this state patch-work of workplace social media protection laws will not be remedied unless states get together and pass a uniform law, or if the federal government enacts a law explicitly preempting state legislation in this area.  Neither remedy is likely, and thus, employers and employees must keep an eye on the legislatures in every state.

It is not possible in this article to analyze each state law.  However, I will point out some general points of these laws, and provide some tips for employers in dealing with all these divergent prohibits and exceptions.

What Do These State Laws Prohibit?

Generally, each state law prohibits an employer from requiring job applicants or employees to provide their personnel social media credentials (username or password, or similar information).  So far, New Mexico’s law (effective June 14, 2013) is the only one that applies solely to prospective employees (applicants), and not to present employees.

The states also define differently what “social media” consists of since some state laws (for example, Illinois and Oregon) only apply to social media accounts, whereas other state laws (for example, California, Nevada and Utah) also apply to other online activities including accounts accessing email, blogs, text messages, videos, photographs, podcasts and other internet services.

Furthermore, some states prohibit additional conduct.  For example, some states prohibit an employer from requiring employees or applicants to allow the employer to “shoulder surf” while employees or applicants access their social media accounts.  Some state laws also prohibit other employer conduct that could circumvent the general protection these laws are attempting to provide.  Such prohibited conduct in some states includes, for example, forcing employees to accept a friend request, or requiring employees to change account privacy settings, so that the employer can then gain access to the otherwise off-limits account activity.

Are There Exceptions To The Prohibited Conduct?

Yes, and not surprisingly, the exceptions also come in a variety of shapes and sizes.  One of the most common exceptions to prohibited employer access to social media content is when such content is relevant to a workplace investigation of some type of misconduct.  A few states, including California and Michigan have relatively broad exceptions based on workplace investigations.  Several other states, including Colorado and Maryland, have narrow exceptions that apply only to investigate violations of securities laws or misappropriation of trade secrets.  And, some states, like Illinois and Nevada, do not have a workplace investigation exception to the prohibited access of social media content.

There is some good news, and uniformity, regarding online accounts that are used for an employer’s business purposes.  Most states allow employers to obtain employee log-in credentials to accounts created by the employer and used by employees for business purposes.  Simply, these are considered to be “non-personal” accounts and not protected under most of the state laws.

Some Tips for Employers:

Keeping up with these state laws can be difficult.  But the following are some tips that can help a multi-state employer combat the differing whims of various state legislators.

1.  Clearly identify accounts used for company business, and inform employees that such accounts are not personal accounts. 

Employers should confirm in writing with employees that accounts used for company business are not personal accounts.  By doing so, employers reduce the risk of running afoul of these state laws, and can avoid ugly battles over content ownership when employees separate from the company.

2.  Establish and enforce a policy prohibiting the disclosure of confidential information.

Employers can and should require their employees to abide by strict confidentiality/non-disclosure agreements/policies, and such policies should prohibit employees from revealing protected information online.  This simple but powerful policy could establish the hook to initiate a workplace investigation into an employee posting confidential information on personal accounts, and thus an exception, to the password protection laws.

3.  Remember that public information is still…public.

Some employers are hesitant to act on publicly available online information simply because the information is online, and thus, presumably protected by “some law out there.”  There is generally no need for such caution.  Employers who come across public information can still use such information as long as the information itself does not lead to an unlawful outcome (like learning of an employee’s national origin, then discriminating against that employee).  Similarly, if an employer obtains otherwise private information from a voluntary source, an employer does not run afoul of the state laws.

4.  Do not ask applicants for social media credentials.

In April 2012, in an article titled “Employers Be Cautious Using Social Media To Screen Job Applicants,” I wrote about why employers should not ask applicants for social media account information, and should not shoulder surf during interviews.  Those same issues are present a year and a half later.  Just do not do it.

5.  Seek legal counsel when contemplating using a “workplace investigation” exception.

As summarized above, each state law is unique, and each “workplace investigation” exception to the general ban on obtaining social media log-in credentials is also highly particularized.  A best practice is to consult an employment law attorney for assistance in deciphering and applying the law to each situation.

Multi-state employers will continue to struggle with these differing laws, particularly when additional states pass even more laws.  Employees too should know what they face in their state and the limits, if any, that are placed on them.  Until there is a uniform federal law, states will continue to pass such laws and force employers to customize policies and practices depending on each jurisdiction.

Information provided on this website is not legal advice, nor should you act on anything stated in this article without conferring with the Author or other legal counsel regarding your specific situation.

James Wu
James Y. Wu contributes a monthly column on Social Media and Employment Law. For nearly 20 years, James has provided day-to-day counseling and advice to employers regarding compliance with employment laws and reducing the risks of employment-related claims and lawsuits. He also provides strategic litigation services when claims and lawsuits do arise. After practicing at some of the nation's leading law firms, James opened his own law office in order to continue to provide his top-notch service at a much more reasonable rate for his clients. James earned his JD from Boston College Law School and both his BA and MA from Stanford University. +James Wu
James Wu

Please Leave a Comment!