News: Employers Denied Ability to Obtain Passwords


  • National Dentex Corporation
  • Public company merger with GeoDigm Corporation
  • Fletcher Granite Company, LLC
  • Chapter 11 liquidation of largest U.S. supplier of granite curb
  • The Viridian
  • 200-residential unit development, Boston, MA

Employers Denied Ability to Obtain Employees’ Passwords to Social Media Accounts

Nancy Puleo December 19, 2012

Three states have recently enacted laws prohibiting employers from:  (i) requiring or requesting an employee or applicant to disclose a username, password, or other means of accessing a personal social media account; and (ii) discharging, disciplining, threatening to discharge or discipline, or retaliating against an employee or applicant for refusing to comply with such a requirement or request.  At least eleven other states, including Massachusetts, have similar pending legislation.  At the federal level, two similar social media bills are pending: the Social Networking Online Protection Act (“SNOPA”) and the Password Protection Act (“PPA”).

Of the three states that have enacted laws regarding employer access to applicant/employee passwords, Maryland is the only state where the law has taken effect.  Maryland legislators became aware of this issue as a result of publicity given to an incident involving an employee of the state’s Department of Corrections who was asked for his Facebook password in connection with a job recertification process.  The interviewer wanted to establish that the employee did not have gang contacts that could compromise his ability to perform his job.  Although reluctant to provide the information, the employee felt he had no choice.  He provided his password and watched while the interviewer logged on to his Facebook account and reviewed his messages, wall posts, and photographs.  After the incident, the employee contacted the Maryland office of the American Civil Liberties Union, which resulted in a push for legislation.  The legislation passed with overwhelming support.

The Maryland law, and many of the states’ pending bills, allows employers to investigate an employee’s use of a personal web-based account if the investigation is for the purpose of ensuring compliance with certain laws or regulatory requirements and the employer has information about the employee’s use of a personal website for business purposes.  Employers may also investigate an employee’s social media activities if they receive information regarding the employee’s unauthorized downloading of the employer’s proprietary information to a personal web-based account.  Generally, employers may also require employees to disclose log-in information for non-personal accounts and services that provide access to the employer’s own computer or information systems. 

On the federal side, SNOPA essentially mirrors the recent state laws prohibiting employers from requiring employees to provide user name, password, or other social media account access information.  SNOPA would be enforced by the United States Department of Labor and, in the current form of the bill, does not provide for a private cause of action by the aggrieved employee.  PPA seeks to amend the federal criminal code to impose a fine of up to $10,000 to any employer who knowingly and intentionally compels or coerces any person to provide the employer with a password or similar information to access a computer not owned by the employer or retaliates against any employee for his or her refusal to authorize such access.

These developments mark a new landscape for employers.  While the idea of asking employees or applicants for personal passwords may seem offensive to some companies, many employers have opted for less intrusive “shoulder surfing,” where the applicant or employee is required to log in to his or her account while being observed by the employer.  This practice is not without implications.  Notably, the Maryland law extends its prohibition to “shoulder surfing”.

Yet other employers perform their own due diligence by trolling the Internet for information on applicants and employees.   According to a 2012 survey from CareerBuilder, nearly two in five companies (thirty-seven percent) use social networking sites to research job candidates.  Of the employers who do not research candidates on social media, fifteen percent said their company prohibits the practice. Eleven percent of employers reported that they did not use social media to screen applicants, but planned to start doing so.  Even this seemingly benign online research activity has consequences.  For example, a prospective employer may find pictures of an applicant that reveal the applicant’s advanced age, pregnancy, disability, such as an applicant who uses a wheelchair.  The use of this lawfully obtained information is inherently risky, as state and federal laws against discrimination prohibit employers from considering legally protected statuses such as age, pregnancy, and disability in employment decisions.  Contrast that example with the employer who does not perform its own due diligence on an applicant only to miss that the applicant has criminal convictions in multiple states for crimes that have direct bearing on the position for which the applicant is being considered.  The employer, though safe from the reach of social media laws, is at increased risk for claims of negligent hiring and/or retention.  Although there is no universal rule book for what employers should and should not do with respect to the resources on the Internet, thoughtful and consistent practices can limit employers’ liability risks.

Proactive Steps for Employers

In light of the general public support for these social media laws and the pending legislation in numerous states, employers should review and reevaluate all social media access policies.  Even in the absence of a legal prohibition, employers should clearly define the legitimate business considerations underlying such policies.   A policy narrowly applied to positions affecting health, safety, financial resources, and security, which clearly articulates these legitimate concerns, is more likely to withstand a legal challenge.  Employers who access social media should do so in the most conservative way possible, confining the information to as few people as practicable, while bearing in mind the challenges posed by privacy claims.  Lastly, employers should develop a system to address the problem of having too much information regarding applicants and employees.  One solution is to use a person not involved in the hiring or employment decision to perform online research for relevant information, while keeping the ultimate decision-makers unaware of information pertaining to state and federally-protected categories, such as age, disability, and pregnancy.

If you have any questions or need additional information regarding this, please contact Nancy J. Puleo.

This Alert is provided for information purposes only, and does not constitute legal advice.  According to Mass. SJC Rule 3:07, this material may be considered advertising. ©2012 Posternak Blankstein & Lund LLP.  All rights reserved.

Thank you for your interest in our firm. Before sending us an email, we ask that you please confirm your understanding of the following information. Our Web site,, is intended for general use and is not legal advice. Your email is not intended to create, and our receipt of it does not create or constitute, an attorney-client relationship. Any information that you provide to anyone at our firm cannot be considered confidential or privileged unless we agree to represent you. By sending this email, you confirm that you have read and understand this notice.

Processing email...