Maryland Takes the Lead on Social Media Access Legislation

Maryland Governor Martin O'Malley is expected to sign a ground-breaking bill passed last week by the Maryland General Assembly. The bill prohibits employers from requesting or requiring applicants or employees to provide information that would allow an employer to gain access to social media websites such as Facebook, as well as other personal Internet sites and web-based accounts. The bill will become effective October 1 of this year. The bill also prohibits an employer from taking adverse personnel action against an applicant or employee who refuses to disclose access information.

A similar bill is pending in the Illinois state legislature. Legislators in other states are considering addressing the issue, and several members of Congress are currently drafting federal legislation on the topic. Proponents of such legislation assert that individuals have a reasonable expectation of privacy with respect to personal web-based accounts such as Facebook accounts. Facebook's chief Privacy Officer weighed in on the subject two weeks ago, noting that that an employer's solicitation of a Facebook password violates its recently amended statement of rights and responsibilities. 

So we have yet another trend in the murky area of privacy law. Yet like many initiatives in this area, this one seems to ignore the other side of the argument. Sophisticated employers rarely seek access to personal web-site accounts in an exercise of gratuitous snooping. Instead, employers that are interested in information from such accounts are typically responding to pre-existing legal obligations. Others are exercising understandable prudence in trying to avoid legal claims and run their businesses in a sensible manner. 

For example, employers often have a legal obligation to investigate allegations of employee misconduct, including claims of harassment. Information posted on web-based accounts may be relevant, among other things, to determine whether such allegations are credible. Employers in most states can be sued for negligent hiring. Information posted by an individual on social media sites may be relevant in determining whether hiring that person is an acceptable risk; most companies would understandably prefer not to make a job offer to someone who appears to be an active sexual predator. 

Moreover, information contained on social network sites can be valuable to the employer in defending against a variety of employee claims. Although the Maryland bill does not prevent an employer from conducting an investigation "for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements" based on the receipt of information about certain uses of a personal web site, the bill is silent on whether an employer can get access to such sites in order to defend against employee claims, even through formal discovery in litigation.

This initiative is significant because of the suggestion by proponents (either explicit or implied) that a legally cognizable right to privacy applies in this context. The question of what, if any, reasonable expectation of privacy a person should have with respect to Facebook posts is unsettled. Its resolution requires an extension of traditional legal principles in this area, and not just because of the use of technology. 

Lawyers and human resources professionals with experience in the public sector know that it is extremely challenging to manage these issues in the context of fourth amendment principles. Some of these challenges are illustrated by the Supreme Court's 2010 decision in City of Ontario v. Quon, 130 S.Ct. 2619 (2010), in which the Court reversed the Ninth Circuit and held that a public employer was permitted to review text messages generated by a police officer on a city-issued pager. The Court's three opinions in this case, particularly Justice Scalia's concurring opinion, are well worth reading for readers who are not yet familiar with these issues.

This initiative is part of the larger trend of steps taken by government agencies and private plaintiffs to move the law in this area.  For example, the National Labor Relations Board has taken an aggressive enforcement position with respect to the legality of employer social media policies under the National Labor Relations Act.

Scott McNealy, CEO of Sun Microsystems, famously quipped that people concerned about consumer privacy should "get over it," because we "have zero privacy anyway." Irrespective of whether one agrees with Mr. McNealy, employers should keep a close eye on this latest trend, as it is by no means clear that the importation of fourth amendment concepts to private sector employment in this context is a good idea, for either employers or employees.