Wednesday, April 11, 2012

The Spotlight is On Practice of Employers Requesting Access to the Social Media Accounts of Employees and Job Applicants



As we discussed earlier this week, both houses of the Maryland General Assembly have passed legislation that would prohibit employers in Maryland from asking current employees and job applicants for their usernames and passwords to social media sites, for example, Facebook and Twitter.  The legislation passed unanimously in the Maryland Senate and by a substantial margin in the House, and has now been sent to the Governor for his signature.  If the Governor should sign, the legislation will be the first of its kind in the country. 

The Maryland legislation was birthed as a result of a controversy that ensued between the Maryland Department of Public Safety and Correctional Services and the ACLU of Maryland when, back in 2010, the Department required job applicants to submit usernames and password information related to their social media sites, purportedly to check for gang affiliations.  The Department suspended and then dropped the requirement after protests by the ACLU.  In this correspondence, the ACLU asserted that the Department’s conduct violated the Stored Communications Act, 18 U.S.C. § 2701-11 and its Maryland analog, Md. Courts & Jud. Proc. Art., § 10-4A-01, et seq.  The ACLU also noted that the Department’s conduct may give rise to violations of the common law tort of invasion of privacy and arguably chilled the First Amendment rights of employees.  The ACLU argued that “there can be little question but that forced ‘authorization,’ such as that demanded of [the applicant], is not proper authorization under the SCA, given the disparate bargaining power of the employer and employee or applicant.”  In the wake of the ACLU’s allegations, some commentators, such as Orin Kerr of the George Washington University School of Law, have likened surrendering social media passwords to handing over the keys to one’s home. 

While the Maryland legislation attempts to resolve these concerns, as passed it does not explicitly provide for a private cause of action, complaint procedures, or criminal sanctions.  This appears to relegate enforcement of the Maryland legislation to the realm of tort suits for wrongful termination in violation of public policy under Adler v. Am. Standard Corp., 291 Md. 31 (1981) and its progeny.  Similar legislation has been introduced  in Illinois, Michigan, Minnesota, Massachusetts, and California.  More information on the Michigan bill is available in a recent blog post by Jason Shinn of the Michigan Employment Law Advisor. John Holmquist of the Michigan Employment Law Connection, Emil Protalinski of ZD Net, and Mitchell H. Rubinstein of the Adjunct Law Prof Blog recently published blogs about a Michigan teacher’s aide was fired for refusing to hand over his Facebook. New Jersey Assemblyman John Burzichelli has announced that he will introduce a bill on the subject.

Two United States Senators have requested that the Department of Justice and EEOC review the matter, citing an uptick in requests by employers for job applicants’ username and password for social media sites.  The letter to DOJ notes that this practice appears to violate Facebook’s terms of service and cites cases which, according to the authors, may subject employers who request usernames and passwords from applicants to liability.  See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002); Pietrylo v. Hillstone Rest. Group, Civ. No. 06-5754, 2009 U.S. Dist. LEXIS 88702 (D.N.J. Sept. 25, 2009).  The letter follows with a request that the DOJ issue a legal opinion regarding whether requesting and using job applicants’ social media passwords violates current federal law, including the Stored Communications Act and the Computer Fraud and Abuse Act.

The letter to EEOC asks it to investigate whether such requests violate the anti-discrimination laws, expressing a concern that access to such sites would give employers access to personal information about the job applicants’ religious views, national origin, family history, gender, marital status, and age.  The letter states that the two Senators “are concerned that collecting this sensitive information under the guise of a background check may simply be a pretext for discrimination.”  As with the letter to the DOJ, the letter to the EEOC asks the Commission to issue a legal opinion as to whether this practice violates current federal law. 

The two Senators, Richard Blumenthal (D-Ct) and Charles E. Schumer (D-NY) have indicated that they intend to introduce federal legislation.  It is unclear, however, whether federal legislation on this topic is necessary.  In Borchers v. Franciscan Tertiary Province of the Sacred Heart, Inc., 962 N.E.2d 29 (Ill. App. 2012), the court found that an employer had violated the Stored Communications Act by looking at an employee’s personal e-mail.  The court reached this holding even though the employee accessed the e-mail account from her work computer, and the account could be accessed without entering a username or password.  Similarly, in Shefts v. Petrakis, No. 10-cv-1104, 2011 U.S. Dist. LEXIS 136538 (C.D. Ill. Nov. 29, 2011), the court found that employee e-mails stored on the employer’s servers were in “electronic storage” under the Stored Communications Act and it was a violation for the employer to access them without authorization. 

On another front, Facebook recently threatened to sue employers who request that job applicants provide access to their Facebook profiles.  Facebook’s Chief Privacy Officer, Mr. Erin Egan, in a statement issued March 23, 2012, stated: “We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action.”  Mr. Egan indicated that asking for someone else’s Facebook password violates Facebook’s user agreement. 

Employer requests for the username and passwords needed to access the social media accounts of employees and job applicants has kicked up a great deal of discussion throughout the legal community.  Phil Miles at Lawffice Space has made several posts on this issue, and concludes that, while the question is not yet settled, “[the] consensus amongst employment law bloggers [is] that it’s not cool and potentially not legal[.]” As a practical matter, Dave Copeland of Read Write Web, quoting career coach Ms. Sandra Lamb, believes that “[i]f your FaceBook or other social media password is requested (or required) [by an employer or potential employer] that goes beyond a red flag – it’s a deal breaker.” Jon Hyman of the Ohio Employer’s Law Blog notes that the law will affect a small number of owners because a “small percentage of employers [] engage in this practice”. Justin Keith of GreenbergTraurig’s L&E Blog points out that “[t]he law also makes it unlawful for an employer to refuse to hire an applicant who refused to disclose the same information.”

Ms. Kara Mignanelli reports that only approximately 18 percent of companies use social media to screen job applicants, 89% use it for recruiting.  Companies seeking to employ this less intrusive method of screening would, accordingly, be well advised to ensure that they employ reputable agencies that comply with all applicable laws.  In particular, if an employer outsources review of social media sites, it would appear that the requirements of the Fair Credit Reporting Act apply which would, among other things, require that the written consent of the employee or job applicant be obtained. See Fair Credit Reporting Act, 15 U.S.C. § 1681; Letter from Federal Trade Comm’n to Nixon Peabody, LLP on May 9, 2011.  Should companies decide to conduct social media screening in-house, they must be careful about how such screening is structured.  While any company considering such a program would be well advised to seek in-depth legal advice, Ms. Dawn Lomer explains that – at a minimum – the person making the hiring decision should not participate in the screening. 

Furthermore, it is as yet unclear what effect, if any, legislation such as that passed by Maryland will have on the ongoing debate in the courts regarding discovery of Facebook material. Compare Zimmerman v. Weis Mkts., Inc., No. CV-09-1535, 2011 Pa. Dist. & Cnty. Dec. LEXIS 187, 2011 WL 2065410 (Pa. C.P. Northumberland May 19, 2011); McMillen v. Hummingbird Speedway, Inc., No. 113-2010, 2010 Pa. Dist. & Cnty. Dec. LEIS 270, 2010 WL 4403285 (Pa. C.P. Jefferson Sept. 9, 2010) (both allowing discovery of Facebook materials); with Piccolo v. Paterson, No. 2009-4979, 2011 Pa. Dist. & Cnty. Dec. LEXIS 45 (Pa. C.P. Bucks May 6, 2011); Kennedy v. Norfolk S. Corp., No. 100201437 (Pa. C.P. Phila. Jan. 15, 2011) (both denying discovery of Facebook materials). 

Courts are also divided as to the discovery of social media passwords in particular.  As reported by Ethan Wall on the Richman Greer Blog, some courts have ordered individuals to supply passwords to Facebook and other websites.  See Gallion v. Gallion, FA 114116955S (Ct. Super. Ct. Sept. 30, 2011).  However, as noted by Daniel E. Cummins at the Tort Talk blog,  the court in Kalinowski v. Kirschenheiter & Nat’l Indemn. Co., No 6779 of 2010 (C.P. Luz. Co. 2011), other courts have refused to order the production of social media passwords.  Note that the court in Zimmerman, which ordered discovery of Facebook materials, emphasized that its decision should not be read to open the door to unlimited discovery of a party’s private social media accounts.  Zimmerman, 2011 Pa. Dist. & Cnty. Dec. LEXIS 187.  Having reported the foregoing, the advice of the Employment Law Bits blog is well taken: individuals should think twice about the information and pictures posted on any social media site. 

Please be sure to visit our website at http://RobertBFitzpatrick.com