Maryland became the first state to pass legislation (House Bill 964 and Senate Bill 433) that prohibits employers from asking employees and job applicants for their social media passwords. The legislation also prohibits an employer from (a) taking, or threatening to take, disciplinary action for an employee’s refusal to disclose his or her password, or (b) failing to hire an applicant due to the applicant’s refusal to disclose his or her password.
While generally protective of employees, there is an exception built into the legislation that allows employers to require an employee to disclose certain access information (e.g., user name and password) for “…accounts or services that provide access to the employer’s internal computer or information systems.” Further, an employer is not prevented from conducting an investigation to ensure compliance with applicable securities or financial law, or regulatory requirements if the employer receives information about an employee’s use of a “personal web site, internet web site, web-based account or similar account … for business purposes.” An employer may also conduct an investigation if it receives information about the unauthorized downloading of its proprietary information or financial data to a “personal web site, internet web site, web-based account, or similar account by an employee.”
Although Maryland is the only state to have passed such legislation (as of the date of this blog post, Governor O’Malley had not yet signed the bill into law), several other states like Illinois, California, Minnesota, Michigan, Massachusetts and New York currently have similar bills pending.