Maryland “Facebook Law” Regulates Employer Access to Social Media Accounts
By: David A. Tallman, Andrew L. Caplan
It is increasingly common for employers to request that job applicants and employees divulge the passwords to their Facebook accounts and to other social media sites. This trend has not gone unnoticed by the media and privacy advocates, which view this practice as an intrusive violation of individual privacy. On the other hand, employers often have valid reasons to exercise oversight over social media activities, especially in financial services and other highly regulated industries where employees’ activities may be more likely to cause the company to incur liability.
This month, the Maryland General Assembly stepped into the debate by passing a law that will prevent employers from accessing the personal social media accounts of their employees and job applicants. Subject to certain exceptions, Senate Bill 433 (“S.B. 433”) provides that “an employer may not request or require that an employee or applicant disclose any user name, password, or other means of accessing a personal account or service through an electronic communications device.” S.B. 433 also provides that an employer may not discharge, discipline, or penalize (or threaten to discharge, discipline, or penalize) an employee based upon the employee’s refusal to disclose access to the employee’s personal social media account. A similar prohibition exists with respect to prospective employees – an employer may not fail or refuse to hire a job applicant based upon the applicant’s failure to provide access information to a personal social media account.
The prohibitions in S.B. 433 do not come without exceptions. For example, an employer is not prohibited from accessing an employee’s personal accounts in connection with an employee downloading company proprietary information and financial data. Moreover, S.B. 433 contains a significant exception that appears intended to address the concerns of financial services companies. Specifically, an employer may access an employee’s “personal web site, internet web site, or web-based account, or similar account,” if: (i) the employer receives information that the account is being used for a business purpose; and (ii) the purpose of the access is to ensure compliance with “applicable securities or financial law, or regulatory requirements.” Since S.B. 433 does not define “applicable securities or financial law, or regulatory requirements,” it is uncertain how broadly this exception will be construed in practice. It is also noteworthy that the exception only permits an employer to access an employee’s personal account when the employer has reason to believe that the account is being used for business purposes. This effectively means that financial institutions will not be able to access an employee’s personal account until after the damage is done.
Maryland appears to be one of the first states to pass legislation that specifically addresses this increasingly high-profile issue. While the exceptions articulated in the bill do not appear to permit financial services companies to either request or require job applicants or employees to disclose their social media log-in credentials in order to monitor social media activity on an ongoing basis (unless the employer has information to suggest that the account is being used for business purposes), there remain other less intrusive social monitoring techniques that companies might employ. For example, an employer might ask its employees to “friend” a social media account controlled by the compliance department or otherwise take steps to make social media account activity visible to the company.
S.B. 433 demonstrates that social media monitoring is an increasingly sensitive issue – and it seems likely that other states will follow Maryland’s lead by passing legislation to prevent perceived overreach. Financial services companies must be prepared to incorporate these legal requirements into their social media policies.