Should You Ask Job Applicants or Employees for Their Social-Media Passwords?, By Daniel I. Prywes Bryan Cave LLP
Daniel I. Prywes is a partner in Bryan Cave LLP’s Washington, D.C., office. He concentrates his practice in commercial and employment litigation.
Many employers currently look at job applicants’ public profile on social-media sites, such as Facebook, to gain insight into their character and suitability for employment. Now, however, some employers are going a giant step further, and are asking applicants to provide the employer with passwords or other means of accessing the private areas of applicants’ social-media accounts. This practice is reportedly more common among state agencies seeking to fill law-enforcement related positions.
Facebook reports that, in the past few months, it has seen a “distressing increase” in reports of job candidates being asked for their passwords. It has condemned that practice, which it states is against its terms of service. Facebook has also stated that it will engage policymakers, and may take legal action, to prevent these practices.
Federal law (such as the Stored Communications Act) and many states’ laws prohibit employers from gaining unauthorized access into private areas of a social-media account. When employers ask job applicants for their consent to such access, applicants are presented with two unpleasant choices: (1) sacrifice privacy and expose private and possibly embarrassing information, or (2) lose a job opportunity in a difficult labor market.
Many observers have condemned this practice as a severe invasion of privacy. It undoubtedly does invade privacy, but that does not necessarily mean that it is illegal, especially in the private sector.
Public Employee Get Some Protection
The Supreme Court has ruled that government employees have some protection, under the Fourth Amendment of the Constitution, against unreasonable searches of their records by their employers, although the full scope of that protection is unclear under recent precedents. City of Ontario v. Quon, 30 ILR 1, 130 S. Ct. 2619 (U.S. 2010) (15 ECLR 983, 6/23/10) (police were permitted, without a warrant, to access police employee’s text messages on a police-owned pager for a non-investigatory, work-related purpose). In most circumstances, current government employees may argue with some force that the Constitution prohibits their government employers from requiring them to provide access to private social-media accounts. Job applicants for government employment may advance similar claims, but their position may be weaker, especially for sensitive types of jobs that have always required detailed background checks.
Private Employees Less So …
Private-sector employees or job applicants, however, lack any constitutional protection against requests for social-media access, since the Fourth Amendment only protects persons from “state action” (meaning acts of the government). The federal Stored Communications Act and other laws prohibit private-sector employers from accessing applicants’ social-media accounts without their consent. However, current law generally provides no clear, unambiguous prohibition against requests by private-sector employers for consensual access to those accounts.
… Unless Already Hired
Private employers face significant risks if they ask current employees to consent to the employer accessing their private social-media accounts. In 2009, a New Jersey federal court upheld a jury’s finding that an employer’s use of an employee’s password information to gain access to a private website was “unauthorized” because the employee had felt coerced into providing the information due to concern that she would get in trouble if she refused. Pietrylo v. Hillstone Restaurant Group, Civil No. 06-5754, 2009 ILRC 2705, 2009 U.S. Dist. LEXIS 88702, 29 I.E.R. Cas. (BNA) 1438 (D.N.J. Sept. 25, 2009) (14 ECLR 1436, 10/7/09). The National Labor Relations Board may also object to such requests, because it has taken action to challenge employer actions that chill employees’ ability to communicate freely on social-media sites about working conditions. See NLRB General Counsel Report, Mem. 10-31 (Jan. 24, 2012) (17 ECLR 224, 2/1/12).
Employers should not assume that they can lawfully access an employee’s private social-media account just because an employee accessed the account on an employer-owned computer. In an analogous case, New Jersey’s Supreme Court ruled that an employer could not use forensic means to review emails on a company-owned computer sent by an employee over a private, password-protected email account, even though the employer had a policy permitting it to access all information on its computers. Stengart v. Loving Care Agency, 29 ILR 399, 990 A.2d 650 (N.J. 2010) (15 ECLR 543, 4/7/10). In another case, a court ruled that an employer acted unlawfully when it discovered a former employee’s password to private email accounts on a company-owned computer, and then used that password to access the private email accounts. Pure Power Boot Camp v. Warrior Fitness Boot Camp, 2008 ILRC 2907, 587 F. Supp. 2d 548 (S.D.N.Y. 2008).
Applicants’ Hobson’s Choice
Since a job applicant has a choice to refuse providing access to a private social-media account (albeit at risk of losing a job opportunity), employers can argue that a cooperating applicant has voluntarily provided access and that there is no coercion because the parties are dealing at arms’ length. But there is no guarantee that a court—or jury—will see it that way, since a request made to a job applicant can be viewed as coercive to some extent: if consent is not granted, the applicant will not be considered for a job.
Accordingly, until there is greater clarity in the law, employers need to weigh the risks versus the benefits of this type of job-candidate screening. Employers should consider whether the information being sought from job applicants through access to private social-media accounts is truly necessary, or if sufficient information about the candidate can be obtained by more traditional means (interviews, thorough reference checks, use of credit reporting agencies, psychological testing, etc.) without stepping into the privacy buzz-saw and risking negative publicity and potential litigation.
In certain cases, employers’ requests for consensual access to applicants’ social-media accounts may seem reasonable. Consider, for example, an elementary school which has some credible basis for concern that a teaching-position applicant is a pedophile, and therefore requests consensual access to the applicant’s social media account to see if it includes child pornography. Critics of employer requests for consensual access—and proponents of new legislation—have not outlined the exceptional circumstances in which such requests may be appropriate despite the worthy goal of protecting privacy.
If employers do gain consensual access to private areas of social-media sites, they need to be careful about how they use any information which they do learn. For example, if they learn that an applicant belongs to a racial minority, and on that basis reject the applicant, they may face liability under the anti-discrimination laws. Therefore, it may be a good practice for an employer who engages in consensual review of an applicant’s social-media account to have someone other than the decision-maker screen the account for red-flag information that may properly be considered to shed light on the applicant’s character or suitability, and to convey only such information to the hiring decision-maker.
Employers must also be careful not to disclose any private or sensitive information they learn to other persons. If they do so, they could be exposed to liability for “publication of private information” under state common law, and they may also risk liability under the Federal Trade Commission’s data privacy rules. In addition, if employers obtain consensual access to private areas of social-media accounts and then provide that access (or information learned through such access) to consumer reporting agencies who actually use it while conducting a background check, special care must be taken to comply with the consent and notice procedures of the Fair Credit Reporting Act.
Federal Legislators Stirring
With recent publicity about this controversial hiring practice, there are increasing calls to change the legal landscape in favor of job applicants’ and employees’ privacy interests. Senator Blumenthal, from Connecticut, has announced that he is preparing a bill to regulate the controversial hiring practice (with exceptions for sensitive jobs in law enforcement or national security). Senators Blumenthal and Schumer have also called upon the U.S. Department of Justice and U.S. Equal Employment Opportunity Commission to investigate whether this hiring practice violates federal law (17 ECLR 586, 3/28/12). These two Senators’ efforts have a long way to go before they result in an actual law.
On March 29, 2012, the U.S. House of Representatives rejected an amendment to the Federal Communications Commission Reform Act that would have prohibited employers from requesting access to job applicants’ social-media accounts. However, the vote on that amendment—which was offered at the last minute to amend an unrelated bill, without going through Committee review—should not be taken as a definitive rejection of such legislation.
State Legislators Moving
On April 9, 2012, Maryland became the first state in the nation to pass a bill that prohibits employers from asking job applicants or employees for access to their social-media sites. The Governor is expected to sign the bill into law shortly.
The Maryland bill (first introduced as S. 433) states that “an employer may not request or require that an employee or applicant disclose any user name, password, or other means for accessing a personal account or service through an electronic communications device.” It further prohibits an employer from refusing to hire “any applicant as a result of the applicant’s refusal to disclose” the password or user-name information needed to access the personal account.
The Maryland bill will also protect persons, once employed by the employer, against discharge, discipline or penalties (or threats of such action) for failure or refusal to provide information needed to access their social media accounts.
The Maryland bill provides only two limited exceptions relating to current employees. First, it permits an employer to investigate a current employee’s use of a personal social-media account “for business purposes,” in order for the employer to ensure compliance with regulatory requirements. Second, it permits an employer to investigate an employee’s unauthorized downloading of the employer’s proprietary information or financial data onto a personal social-media account or web-based account.
The Maryland legislature also considered a bill (S. 434) to prohibit post-secondary educational institutions from requesting access to the private areas of students’ or applicants’ social-media accounts. This bill passed the Maryland State Senate, but was not passed by the House chamber before the legislative session ended.
State legislation to outlaw employer requests for access to social-media accounts is moving forward in several states, including Illinois, California, Minnesota, Michigan, and Massachusetts (17 ECLR 254, 2/8/12), and legislators in several others (including New York and New Jersey) have expressed an intention to do so.
Among these states, the Illinois bill (House Bill 3782) ) has made the most progress. This bill has passed the Illinois House and is presently being considered in the State Senate. It would make it unlawful for “any employer to ask any employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website.”
There are several noteworthy aspects of these proposed new laws.
Noteworthy Features of State Legislation.
There are several noteworthy aspects of the state legislative efforts.
1. Although the Maryland bill and other states’ bills (if passed) would technically apply in only those states, many large employers with facilities across the country may decide to apply the restrictions nationally. That is particularly true if several of the larger states (measured by population) enact such laws. Otherwise, employers will have to develop different procedures for hiring in different states. In effect, the most restrictive state laws can set a de facto standard nationally. The problem of varying state laws will likely become more acute if additional states pass legislation on this subject.
2. Employers who are prepared to apply different hiring procedures in different states will need to determine the territorial scope of the Maryland bill, and other states’ laws. For example, would the Illinois statute (if enacted) apply to a Fortune 100 company headquartered in Illinois if that company’s hiring personnel in Illinois (or in another state) should request access to the social-media account of a job applicant living in Kentucky for a job in that state? In that scenario, the safest course for the employer is to not request such access. Of course, if Congress legislates in this area, its law will apply nationally.
3. The Maryland bill—and the proposed Illinois law—do not make any exception for applicants to especially sensitive jobs involving public safety, such as law-enforcement personnel, child-care workers, transportation personnel, etc. They also make no exception even if the employer receives information from other sources that raise suspicions about a job applicant.
4. The Maryland bill, and the proposed Illinois law, differ as to whether an employer can ask a current employee to provide access to his or her personal social-media account when an investigation into misconduct is underway. As noted above, the Maryland bill does not prevent an employer who receives information about the use of an employee’s “personal Web site” or “Internet Web site” for “business purposes,” from “conducting an investigation for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements.” The Illinois bill contains no such language. But even the Maryland bill would not allow an employer to ask for access to an employee’s or applicant’s social-media account, if for example, it receives reports that a police officer has been posting material about his use of illegal drugs on his Facebook account. It remains to be seen if courts will read exceptions into what appear to be blanket prohibitions against requests for consensual access when the same information could be sought through a warrant in a criminal investigation, or through a document subpoena in civil litigation.
5. Finally, in some cases, state-enacted prohibitions on requesting access to social-media accounts may conflict with federal regulatory schemes prescribing the scope of background investigations or oversight for private-sector employees involved in sensitive work (such as employees of firms dealing with nuclear plants, transportation systems or vehicles, child-care workers, eldercare, financial institutions, hazardous waste, aviation, homeland security, etc.). Therefore, the new laws may prompt a wave of litigation addressing whether and to what extent state-enacted provisions are preempted by federal law.
One thing seems fairly certain—there will be legislation in at least a few more states (and maybe the federal level) to tackle this new hiring practice. It remains to be seen how broad the new laws will be, and how they will affect employers, job applicants, and employees.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
© 2012 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.