(Reuters) — A wave of new legislation limits employers from asking employees and job applicants for their Facebook and other social media passwords. But lawyers caution that the laws, which vary by state, may have pitfalls and unintended consequences.
Seven states — Arkansas, Colorado, New Mexico, Oregon, Utah,Vermont and Washington — have passed legislation this year aimed at protecting employee passwords, according to the National Conference of State Legislatures. Six states passed laws in 2012, and legislation is pending in 36 other states.
State legislatures took up the issue after news reports focused on specific incidents in which employers asked job applicants for social media passwords. One that became a cause celebre in 2011 occurred in Maryland, where the state's corrections department reportedly wanted to peruse applicants' Facebook accounts to ensure they were clean of any gang affiliations.
After the American Civil Liberties Union decried the practice, the state dropped it and in April 2012, Maryland became the first state to enact a law prohibiting employers from asking applicants and employees for passwords.
But employment lawyers questioned whether the laws were addressing a real issue, and said they block employers from asking for passwords for legitimate reasons.
There is little empirical evidence that employers ask for passwords, and Facebook and other social media sites already have user agreements that bar employers from using employee passwords.
"I think this is legislation searching for a problem to solve," said Philip Gordon, chair of the privacy and data protection practice at Littler Mendelson, an employer-side law firm. "I think it's a legislative overreaction."
Gordon has tracked the legislation across the states and said he is not aware of any legislatures that conducted hearings on the issue before considering a bill.
Laws vary by state
In rare instances when employers ask for passwords, employees would have other avenues to sue, such as federal anti-discrimination laws, if they felt harmed, Gordon said.
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse, a privacy group that supports the laws, agreed that anecdotal evidence suggests the practice is not widespread. Still, he said, he is pleased to see these new laws on the books.
"I think this is a situation in which state legislatures have been proactive in cutting it off before it becomes a prevailing practice," said Stephens. "In most areas, legislation lags far behind technology."
But corporate defence lawyers said many of the state laws are overly broad.
"In many cases, the laws are very unequivocal and allow for very few exceptions. They would prevent employers, even in cases where there are legitimate grounds, from requesting passwords," said Behnam Dayanim of Paul Hastings. Employers would not be able to co-operate with law enforcement or investigate national security concerns in some cases, he said.
The specifics of the new laws vary by state. For example,the law in New Mexico prohibits employer password requests only to job applicants, and not employees. Other states apply the prohibition to both.
States such as Michigan and Oregon have enumerated exceptions to the prohibition, like allowing employers to request passwords if they are conducting an internal investigation or co-operating with law enforcement. States such as Maryland are more open-ended. Different states specify different penalties for violations — and some don't identify any penalties at all.
"I think its very difficult for employers to navigate the different intricacies of the laws," said Adam Forman, an attorney at Miller Canfield who has tracked the legislation.
There have been no publicized challenges to the legislation so far, and defence-side lawyers agree the legislation suggests a growing interest in individual privacy.
"One may conclude that the privacy pendulum is starting to swing in favour of protecting privacy rights of employees," Forman said.