Not a Member?  Become One Today!

Potentially Illegal Practice of Demanding Passwords Criticized

By Allen Smith  4/3/2012
 

Growing but still rare. That’s the way Laura Friedel, an attorney with Levenfeld Pearlstein in Chicago, would characterize private-sector employer requests for applicants’ or employees’ Facebook e-mail addresses and passwords.

“Our clients are asking about it more, but few have implemented policies requiring applicants or employees to provide Facebook log-in information, log in to Facebook in front of or ‘friend’ company representatives,” she told SHRM Online.

But while requesting this information might be unusual among employers generally, Kenneth Wisnefski, social media expert and founder/CEO of WebiMax, said: “We see this very often, especially in public service work including teachers, police and government officials.”

Facebook itself reported that in the last few months it has “seen a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information,” according to Erin Egan, chief privacy officer, policy, with Facebook, in a March 23, 2012, posting.

“We don’t think employers should be asking prospective employees to provide their passwords because we don’t think it’s the right thing to do,” Egan added.

“We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges,” Egan cautioned.

Window into Personal Behavior

Employers that seek passwords for Facebook pages are looking for a window into personal behavior, Friedel noted.

“For applicants, they may be looking to determine whether a candidate presents herself professionally, has a tendency to post a lot during working time or says bad things about past or current employers,” Friedel remarked. “For current employees, employers are often looking for evidence of rules violations, such as disclosure of confidential information, posting during the workday, playing hooky or even inappropriate interactions between co-workers. Though it runs afoul of labor laws, some employers may also be looking for information regarding union organization or other concerted employee activity.”

Infrequently Tested Theories

There isn’t a law on the books that prohibits most employers from requesting passwords from applicants or employees, but when employers access social media information, they open the door to liability under several theories, Friedel cautioned.

Accessing individuals’ social media sites might make the employer aware of information, such as religion and disability, which cannot be considered legally in making employment decisions. “Once the employer knows this type of information, it is open to claims that employment decisions were motivated by it in violation of Title VII, the Americans with Disabilities Act, the Genetic Information Nondiscrimination Act and other federal, state and local laws,” she said. “Importantly, if the information reviewed includes discussions with co-workers that could be considered protected concerted activity, the employer could also be found to have violated the National Labor Relations Act, even if it is a nonunion workplace.”

She noted that some employee advocates argue that because individuals don’t really have a choice whether to provide Facebook log-in information, they can’t be deemed to have consented to employer access, and so employers that view employees’ Facebook pages are violating the Stored Communications Act.

A New Jersey district court in 2009 upheld a jury’s determination that an employer violated the Stored Communications Act when its managers accessed a chat group on MySpace without authorization after the managers coerced an employee to provide her MySpace log-in information to the managers (Pietrylo v. Hillstone Restaurant Group, C.A No. 06-5754 (FSH) (D. N.J. 2009)), noted Peter Gillespie, an attorney with Fisher & Phillips in Chicago.

Some have taken the position that demanding passwords violates the Stored Communications Act across the board, but this is not clear cut, cautioned Michael Schmidt, an attorney with Cozen O’Connor in New York.

“Government employees or job applicants may argue that the practice of requesting consent for access to a social media account is prohibited by the Fourth Amendment of the U.S. Constitution, which protected against unreasonable searches by the government,” remarked Daniel Prywes, an attorney with Bryan Cave in Washington, D.C.

“Private-sector employees do not have rights against their employers who are not governmental entities under the Fourth Amendment. But they may try to argue that common-law invasion-of-privacy principles apply. Efforts will be made to shoehorn this practice into the prohibitions of other statutes,” he said. “However, the bottom line is that all these theories are untested, so at this time there is no widely applicable law that clearly prohibits this controversial practice.”

Proposed Legislation

Friedel noted that there are bills pending or proposed in at least five states (California, Illinois, Maryland, Massachusetts and Minnesota) that would prohibit employers from requesting user information and requiring access to social media content, though she said some of these bills would cover only government employers.

“With the attention that this issue is receiving, we expect to see more state legislators following suit,” she added. “There is also a push on Capitol Hill to determine whether requesting and using Facebook log-in information violates any laws already in place.

“Beyond the legal risks, there is also an employee morale and retention risk,” Friedel cautioned. “Many of our clients who consider implementing such requirements ultimately come to the conclusion that they are uncomfortable with the ‘big brother’ aspect of monitoring employees in this way.”

Allen Smith, J.D., is manager, workplace law content, for SHRM.

Copyright Image Obtain reuse/copying permission