News & Publications

I.  Introduction

There have been a number of recent articles in the press reporting that some employers are beginning to require job applicants to disclose their login information and passwords in order to access Facebook accounts and other private information contained in various forms of social media.  It has long been known that interviewers “Google” or troll the Internet to obtain publicly-available information about a candidate as part of a background check.  But now, as more people are making their social media profiles private and not viewable by anyone other than their accepted connections, employers are requesting login information from prospective candidates to log on and check their profiles.  Some hiring managers are directing candidates to access their private accounts on the employer’s computer and then shoulder surf to review the candidate’s photographs, posts, and “tweets.” 

Two recent examples reported in the media provide some insight on this new practice.  Robert Collins, a correctional officer in Maryland, took a leave of absence from the state’s Department of Corrections after his mother died.[1]  When he reapplied for employment with the state, the Department asked for Collins’ user name and password for his Facebook profile.  His interviewer then accessed Collins’ account, and reviewed Collins’ pictures and his Facebook “wall.”  The reasons given by the DOC was that it wanted to ensure Collins was not affiliated with a gang or possessed any gang sympathies.  Another cited instance is a New York City statistician, Justin Bassett, who was asked for his Facebook login information during an interview.[2]  Bassett refused to provide the information and withdrew his application.   The city of Bozeman, Montana was one of the first employers to instruct job applicants to disclose password information for any Internet-based chat rooms and social clubs, including Facebook, MySpace, etc.[3]

II.  The Motivations For Accessing Private Social Media Accounts

Why do employers resort to reviewing social media sites or searching the Internet as part of its background check on applicants?  There are three primary reasons. 

First, most employers today are reluctant to provide meaningful references for fear of being sued for defamation.  For example, California prohibits employers from intentionally interfering with former employees’ attempts to find jobs by giving false or misleading references.[4]  While the law in most states permits an applicant to sue for defamation if the statements made by his or her former employer as part of a job reference are false and contributed to the candidate not receiving the position, the reality is that very few such lawsuits have been filed across the country.  Part of the reason for this is no doubt because these applicants never find out what reference information was actually provided or assume that someone else who was better qualified was selected.  On top of this, keep in mind that the individual must prove that the statement made as part of a reference check was actually false.  Nevertheless, in an effort to insulate themselves from any possible claim, many employers resort to providing only ‘name, rank and serial number’ for its former employees or have a ‘no comment’ policy.  This leaves future employers with little meaningful data about an employee’s performance or workplace demeanor to make an informed hiring decision. 

Second, many employers are very concerned that they may subject themselves to liability if they fail to conduct a full and complete background check and it later turns out that the person they hired had a prior history of misconduct that they repeated once again at their new job.  While these “negligent hiring” lawsuits are still relatively rare, employers are nevertheless concerned that they are not doing enough to sufficiently weed out candidates who may have a history of discrimination, harassment, violence and the like.  Some courts have allowed victims to sue their employers, arguing that such a background check could have prevented them from being harmed.  For example, one California court allowed a student who was sexually assaulted by a teacher to pursue a negligent hiring claim against the school district based upon allegations that the district knew or should have known about teacher’s prior sexual misconduct.[5]  A recent opinion by the California Supreme Court held that a school district may be liable for negligent hiring relating to a student’s claim that he was sexually harassed and abused by a guidance counselor, and the counselor had engaged in sexually-related conduct with minors in the past.[6]  While it is far from settled in the courts whether an employer could be held liable for failing to insist upon reviewing password-protected social media accounts, you can see where many employers have legitimate concerns in this regard.[7]

Finally, the sad reality is that resume fraud appears to be on the rise.  Many employers have come to realize that applicants whom they have already hired have either fabricated work experience or education or greatly exaggerated or embellished their credentials.  Employers are trying to find ways to combat this unfortunate trend.  Two recent high profile examples of resume fraud have been well publicized.  Yale football coach Tom Williams was forced to resign in December 2011 after the university learned that he incorrectly stated on his resume that he was a Rhodes Scholarship “candidate” while attending Stanford University.  However, Williams later admitted that he never applied for the prestigious scholarship.  Williams also told Yale that he had played on the San Francisco 49ers practice squad while, in fact, he had only attended a 49ers try-out camp for a few days.  In early May 2012, Yahoo CEO Scott Thompson resigned when it became known that he had misrepresented on his resume that he was awarded a computer science degree in college when in fact his degree was in accounting. 

III.  The Legal Consequences Of Requiring Access TO Private Social Media Accounts

There are numerous legal issues triggered when employers require applicants to provide them with access to this information.  Discrimination claims are one of the biggest concerns.  For example, if an employer is allowed access to an applicant’s Facebook account, it might learn information about that applicant (such as his or her marital status, religion, sexual orientation or ethnicity) which might later allow that individual, if he or she is not hired, to contend that knowledge of that information is the reason why he or she wasn’t ultimately hired.  Learning that a candidate either recently got pregnant or is interested in becoming pregnant – whether held against that individual or not – can form the basis of a discrimination claim.  Once the employer is on notice of a trait or characteristic learned from a Facebook or Twitter account, they subject themselves to the very same claim that would be brought if that same information had been learned during a job interview.  The major difference – one that could be viewed very differently by a trier of fact – is that this information will have been obtained involuntarily by requiring a Facebook account password as opposed to perhaps voluntarily being disclosed by the candidate during an interview.  

Employers also subject themselves to claims that the applicant’s right of privacy was invaded.  Some states such as California afford a constitutional right of privacy that applies to private entities.[8]  Although it has not been tested in the Facebook context, a California applicant may have a viable claim that requiring the disclosure of a confidential password which allows access to very private, personal information constitutes an invasion of privacy.  Other states may allow such a claim to proceed based upon some type of common law invasion of privacy cause of action.  Regardless of the type of claim, ultimately, a court will first look at whether the applicant had a reasonable expectation of privacy.  The only possible way to lower and perhaps eliminate that expectation and potentially avoid such a claim is to make it very clear to applicants in places like job advertisements and applications that it will require disclosure of Facebook account passwords and access to private social media sites.[9]

In addition, some states have laws that prohibit employers from making adverse decisions based on off-duty lawful conduct.  Under New York law, employers cannot refuse to hire an individual based on his off-duty recreational activities, certain political activities, and the use of legal consumable products.[10]  Colorado law has a similar provision extending only to current employees.[11]  North Dakota also makes it a discriminatory practice to refuse to hire someone or discharge an employee because of participating in lawful activity off the employer’s premises during nonworking hours which is not in direct conflict with the essential business-related interests of the employer.[12]  While there does not appear to be a court decision directly on point, it does not seem farfetched that an applicant may pursue a claim under one of these statutes.  

As of early May of this year, an employer’s request for user names and passwords to personal electronic accounts clearly violates one state law.  On May 2, 2012, Maryland became the first state to specifically outlaw such a practice when Governor Martin O’Malley signed Senate Bill 433.  The “User Name and Password Privacy Protection Act,” which becomes effective on October 1, 2012, prohibits an employer from requesting or requiring that “an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device.[13] The Act precludes an employer from discharging or otherwise penalizing any employee who refuses to provide any such information.  There are some notable exceptions.  First, a Maryland employer may require an employee to disclose “any user name, password or other means for accessing nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.”  Second, the Act permits the employer to access an employee’s personal electronic accounts for the limited purposes of (1) investigating information that the employer received about the employee’s unauthorized downloading of the employer’s proprietary or financial data to the employee's personal website, web-based account, or similar account, or (2) ensuring compliance with applicable securities or financial law or regulatory requirements.   

Finally, there is legal authority for the proposition that coercing employees to divulge passwords violates an existing federal statute -- the Stored Communications Act.  The SCA is violated when one intentionally accesses electronic information without authorization.[14] In an unpublished federal court decision, Pietrylo v. Hillstone Restaurant Group d/b/a Houston’s,[15] an employee testified at trial that she felt she had no choice but to disclose her MySpace account information to her manager who then logged into MySpace as the employee.  There, a disgruntled worker, Brian Pietrylo, created a MySpace page in which he invited coworkers to complain about their mutual employer, a Houston’s restaurant. When management learned of the MySpace ‘complaint’ page, it requested Pietrylo’s coworker provide her own MySpace login information so that management may read the entries on Pietrylo’s page.  The employer argued that there was no SCA violation because access to the MySpace page was authorized “by a user of that service with respect to a communication of or intended for that user.”  The jury found the employer violated the SCA and awarded compensatory and punitive damages in the amount of $17,000.00.  The court upheld the verdict on the basis that the coworker testified that while she provided her login information, she felt she had no choice because she worked for the restaurant and the requesting manager.  The court denied the employer’s motion for a new trial since the jury could have inferred that the coworker did not “authorize” management’s access using her login name because she was under pressure for fear of losing her job.  In a similar case, the Ninth Circuit Court of Appeals found that an employee had a cognizable legal claim under the SCA when his employer accessed a secure website that contained criticisms of management using someone else’s login information.[16]

In March 2012, Senators Charles Schumer, (D-NY) and Richard Blumenthal, (D-CT) asked the Department of Justice to investigate whether employers who ask for Facebook passwords are violating the SCA or the Computer Fraud and Abuse Act.  The CFAA makes it a crime for current or former employees to intentionally access a protected computer issued or owned by their employer “without authorization” or in a manner that “exceeds authorized access,” resulting in damage and loss.[17]  The DOJ has not yet issued an opinion.  Nonetheless, employers face a risk of violating the SCA or CFAA if they request confidential social media user names and passwords and use that information to login into secure websites. 

IV.  State And Federal Legislative Actions To Watch

There has been a rash of legislative activity in response to the practice of employers seeking social media passwords from applicants.  In addition to Maryland, twelve other states, including California, Delaware, Michigan, and New York,[18] have moved to limit employers’ rights to access social media websites.  Illinois stands ready to be the second state to bar employers from seeking social media passwords.  Both houses of the Illinois Legislature passed the “Right to Privacy in the Workplace Act,” which provides it is unlawful for an employer to ask any employee or prospective employee to provide a user name, password, or other related account information to gain access to a social networking website.   The Governor has signed it and it will go into effect on October 1, 2012. 

The U.S. Congress has also moved swiftly to respond to this practice.  Several House Democrats introduced “The Password Protection Act of 2012” on May 9, 2012.  U.S. Senator Richard Blumenthal (D-CT) introduced a companion bill in the Senate, S. 3074 with identical prohibitions.  These bills would amend the Computer Fraud Abuse Act and prohibit employers from:[19]

• forcing prospective or current employees to provide access to their own private account as a condition of employment.
• discriminating or retaliating against a prospective or current employee because that employee refuses to provide access to a password-protected account.
• engaging in an adverse employment action as a consequence of an employee’s failure to provide access to his/her own private accounts. 

The Password Protection Act of 2012, as currently written, preserves the rights of employers to: 

• Permit social networking within the office on a voluntary basis.
• Set policies for employer-operated computer systems.
• Hold employees accountable for stealing data from their employers.

The House and Senate bills establish what may be viewed as a right of workplace privacy as they do not permit employers to access private employee data under any circumstances, even if the employer uses its own computers to access that data.   Employers that violate the Password Protection Act may face financial penalties.  Both bills are awaiting Committee action. 

Another piece of proposed federal legislation in the House of Representatives, H.R. 5050, is the “Social Networking Online Protection Act” offered on April 27, 2012.[20]  This measure would prohibit employers and schools from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website.  The bill was referred to the House Committee on Education and the Workforce.

Several states are moving forward with legislative measures.  For instance, the Delaware legislature is considering “The Workplace Privacy Act,” House Bill 308.  H.B. 308 would make it unlawful for employers to mandate that an employee or applicant disclose password or account information that would grant the employer access to the employee’s or applicant’s social networking profile or account.[21]  This bill would also prohibit employers from requesting that employees or applicants log onto their respective social networking profiles or account to provide the employer direct access.  H.B. 308 is awaiting further action by the full legislature. 

California is another state considering a ban on requests for social media information.  State Assembly Bill 1844 was introduced on February 22, 2012, and would bar an employer from requiring an employee or a prospective employee to disclose a user name or account password to access a personal social medial account that is exclusively used by the employee or prospective employee.  The House unanimously passed the bill.  Meanwhile, California state senator Leland Yee offered Senate Bill 1349, the “Social Media Privacy Act.”[22]  In Senator Yee’s bill, public and private employers (as well as postsecondary educational institutions) are precluded from threatening an individual with or taking specified pecuniary actions (e.g., discharge, discipline, or otherwise penalize) for refusing to disclose permissibly requested information related to their personal social media account.  Employers may request, but not require, an employee provide the employer access to a personal social media account to aid in an investigation concerning allegations of harassment, discrimination, intimidation, or potential violence.  Unlike Maryland, there is no safe harbor for employers to seek protected information on employees’ personal accounts to ensure compliance with securities laws or that trade secrets are being protected.  Each of the bills now awaits passage in the other’s chamber. 

V.  Practical Considerations and Conclusion

As previously discussed, employers have legitimate concerns as to whether they are obtaining the information they need to make a fully informed decision about candidates they are interested in hiring.  At the same time, employers need to be mindful that there are legal risks if they attempt to obtain information from password protected social media sites.  Beyond this, employers need to seriously consider what these actions say about their corporate culture.  Is your company really interested in being known as an employer that wants to access such private and personal information?  Do you believe that an individual should have the right to privately express himself or herself on the Internet without fear that that information will be used negatively as part of consideration for a job?  Given the proliferation of social media usage in this country, and in light of how important the new entrants into the workforce feel about their ability to communicate and express themselves this way, an employer may be hindering its ability to attract the best and the brightest applicants by using these methods.  There are already existing procedures for conducting extensive and legal background checks that should allow employers to ferret out the information that they legitimately need to make these hiring decisions.  Employers need to decide if these methods are sufficient or whether more aggressive means need to be employed to obtain this information.