04.17.2012 For Maryland Employers the Password is Privacy: How Maryland’s User Name and Password Privacy Protection Law Will Affect Your Business

The Maryland General Assembly recently adopted legislation that would prohibit Maryland employers from conditioning hire or continuation of employment upon an applicant’s or employee’s disclosure of any user name, password, or other means for accessing an online personal account such as Facebook or Twitter.  The law will take effect on October 1, 2012 if signed by Democratic Governor Martin O’Malley.  As a general rule, it will prohibit Maryland employers from retaliating, or threatening to retaliate, against applicants and employees who refuse to provide access to their private media accounts. For example, an employer may not terminate or discipline an employee who refuses to provide the requested information. Similarly, an employer may not refuse to hire an applicant who refuses to provide the same.  


After the effective date, Maryland employers will be permitted to demand access to an employee’s password-protected electronic media accounts solely to investigate information received by the employer that a particular employee:   


  1. Is using a personal website, internet website or web-based account to conduct business, and the purpose of the employer’s investigation is to ensure such employee’s compliance with applicable securities and financial laws and regulatory requirements;

  2. Has conducted an unauthorized download of proprietary information or financial data belonging to the employer and the purpose of the investigation is to determine whether such unauthorized download has occurred.


The new law provides no exception where a Maryland employer receives information that the employee has misrepresented the company, portrayed the company or its managers and supervisors in a negative light, or committed a severe act of misconduct not within the scope of the express exemptions.  Efforts to enact similar legislation are currently being made in Illinois, Minnesota, New York, and California.  


Employers Demanding Access to Password-Protected Accounts May Face Other Liability


In March 2012, Facebook’s Chief Privacy Officer, Erin Egan, issued a statement that it is “a violation of Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.”  Facebook urged its users not to share their password with prospective or current employers, and vowed to “take action to protect the privacy and security of [its] users, whether by engaging policymakers, or, where appropriate, by initiating legal action.”    


Ms. Egan correctly noted that employers who seek password-protected information may generate unexpected liability.  For instance, an employer may open itself up to alleged violations of Title VII if a prospective applicant can show that the employer refused to hire him or her on the basis of a protected characteristic (e.g., age, race, marital status, national origin, etc.) that the employer learned about by visiting the applicant’s social media page.  In addition, employers who obtain information by perusing an applicant’s webpage may trigger obligations to report or preserve certain types of information (e.g., criminal activity).


In addition to Ms. Egan’s concerns, if an employer discovers negative information about a prospective employee through a social media search and still opts to employ that candidate, the employer may be liable if the employee later harms a co-worker, customer, or other third party, and the employer could have foreseen that harm based on the information that it obtained.  


The possibility of criminal liability for employers that require login information to secure social media websites cannot be discounted.  Two Democratic U.S. Senators, Charles Schumer of New York and Richard Blumenthal of Connecticut, have requested that the Department of Justice and the Equal Employment Opportunity Commission investigate whether requiring job applicants to provide this information can constitute unauthorized access in violation of two federal laws. 


Specifically, the Senators believe employers that require login information may violate the Stored Communications Act (“SCA”), 18 U.S.C. § 2701, and the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(a)(2)(C).  The SCA prohibits intentional access to electronic information without authorization or intentionally exceeding that authorization, and the CFAA prohibits intentional access to a computer without authorization to obtain information.


Recommended Actions


Should Maryland Governor O’Malley sign the new legislation into law, employers with business operations or employees performing services in Maryland should undertake a thorough review of their hiring and employment policies and practices to ensure compliance with Maryland’s new User Name and Password Privacy Protection law.  The employment application should also be reviewed to ensure that applicants are not required to disclose information protected under the legislation.  However, there is no requirement to notify applicants and employees of their rights under the new law.


If you have any questions about this topic, please contact Mary Pivec at (202) 293-8128 or, Ashley Winsky at (757) 473-5316 or or any member of the Williams Mullen Labor & Employment Team.


Please note:
This newsletter contains general, condensed summaries of actual legal matters, statutes and opinions for information purposes. It is not meant to be and should not be construed as legal advice. Readers with particular needs on specific issues should retain the services of competent counsel. For more information, please visit our website at or contact David C. Burton, 757.473.5354 or For mailing list inquiries or to be removed from this mailing list, please contact Julie Layne at or 804.420.6311.