Potential Employer Wants Access to Facebook Account

By Paul Irlando

A Maryland Department of Corrections policy requiring potential employees to hand over their Facebook username and password information has gone too far, says the American Civil Liberties Union. They’re probably correct.

In April 2010, after three years of employment, Robert Collins took personal leave from his job as a Corrections Supply Officer with the Maryland Department of Public Safety and Correctional Services. Planning to go back to work in November, Mr. Collins applied to be recertified and was called for an interview with a DOC investigator. During the interview, Mr. Collins was directed to provide his Facebook username and password. He did, and watched while the interviewer inspected his profile for several minutes. The interviewer also indicated that the DOC would continue to login as Mr. Collins for up to two months, while it completed its background check.

This did not sit well with Mr. Collins, who contacted the ACLU of Maryland. And then things really got interesting, with the ACLU issuing a press release and subsequent YouTube video about the DOC practice, and then, in January, sending a letter to the Maryland DOC questioning the legality of the practice and asking the DOC to rescind it. On February 22, the DOC suspended the requirement for forty-five days pending a review of the policy.

Is the requirement illegal as the ACLU suggests? The Maryland DOC said it inspects social media profiles to weed out potential employees with gang affiliations, a legitimate concern considering the nature of the work. Does an individual’s privacy right outweigh the DOC’s interest? The Washington Post reported the story, but didn’t address the legal issues. We’ve done some research. Here’s what we think:

Because the phenomenon of social media is relatively recent, there is little case law on situations in which people were required to turn over their login information so others could access their online profiles.

In 2010, judges in New York and Pennsylvania concluded that plaintiffs were required to provide defendants access to the private portions of their social media profiles because the defendants’ need for the information to mount their defenses was outweighed by any privacy expectation the plaintiffs may have had.

Both were personal injury cases in which the plaintiffs claimed that their injuries affected their full enjoyment of life. In each case, the defendant argued that the publicly available portions of the plaintiff’s social networking sites provided evidence contrary to the plaintiff’s claim of inability to enjoy life, leading the defendants to believe that more such information was available on the private portions of the sites. The judges agreed.

On the other hand, in a recent New Jersey case with facts more similar to Mr. Collins’ situation, a jury ruled against an employer who coerced an employee to divulge her password information which led the employer to a co-worker’s social media site. Armed with the password information, the employer accessed the co-worker’s site, found a variety of statements disparaging the employer, and then fired the co-worker. The jury awarded damages against the employer because the employer had violated a federal law making it illegal to intentionally access a social media service without valid authorization.

What separates the New York and Pennsylvania cases from the New Jersey case is that in the former, the defendants filed motions in court to have the login and password information released by a judge, a procedural exception under the federal law. The judges in those cases found that on a personal injury claim, when a plaintiff sues, the defendant is generally permitted access to any unprivileged materials that may be relevant both to the issue of damages and the extent of a plaintiff’s injury. In the New Jersey case, the defendant didn’t seek judicial authority to get the login and password information from its employee. Rather, the employer threatened the employee with termination if the employee did not hand over her login and password information, which led it to her co-worker’s site.

Because Mr. Collins’ situation arose in an employment context and because the Maryland DOC did not seek a judicial order to access his Facebook account, it appears that Mr. Collins has a strong claim against the Maryland DOC for violating his privacy rights. While Mr. Collins did hand over his information “voluntarily,” he told the Post and ACLU that he felt he had to in order to be considered for recertification, just as the plaintiff in the New Jersey case feared termination if she didn’t comply with her employer’s request.

The Maryland DOC and other employers that require social media login and password information during hiring also risk violating anti-discrimination laws. Federal law does not allow employers when hiring to ask certain questions about topics such as race, religion, sexuality, or national origin. While some people freely display this information on their Facebook profiles, others take advantage of privacy settings to keep such information confidential. If an employer forces a candidate to open his social media sites and thus learn about his protected status in any category, the employer may become vulnerable to claims that such information was improperly used to reach an adverse hiring decision.

Simply put, while case law is sparse, the Maryland DOC policy appears to violate federal law. While it is important for the Maryland DOC to ensure that its employees undergo sufficient background checks, its current social media policy goes too far. Who wouldn’t be outraged if an employer asked them to hand over their diary, a personal photo album, or private email messages? Handing over Facebook login and password information can equate to just that.

UPDATE:  March 6, 2012:  Giving away your Facebook password actually violates its Terms of Service, which says “You will not share your password … let anyone else access your account or do anything else that might jeopardize the security of your account.”  But that’s not stopping employers and schools from asking the information. Or even demanding it.  Read more here.


1 Comment »

One Response

  1. John Harding says:

    Great post! Couple observations: 1) In the personal injury suit – employers or their insurers routinely hire PIs to follow and/or investigate claimants. If a claimant has information visible in the public domain (ie. without bypassing privacy settings) that may point to the invalidity of their claim, I agree with the procedure of filing a motion and seeking a court order for further investigation. 2) While I find it no less reprehensible, it is harder for a clear-cut conclusion in the instance of an existing employee. Asking to view someone’s otherwise private Facebook profile would most certainly be coercive, create a hostile work environment, could be equated to harassment and is unquestionably a violation of privacy. I think your conclusions and those of the court are correct. 3) My biggest concern is with employers now thinking it is OK to require access to an applicant’s Facebook profile (by granting access through “friendship” or through a log-on) as part of pre-employment screening. This is a clear violation of Title VII, a clear invasion of privacy, disregarding one’s civil rights, and ENTIRELY different from a formal background check which would access court records, arrest records, licensing records, disciplinary actions and other legitimate types of information. While an applicant would understand the request to grant a background check, I for one would not understand the request to view my Facebook profile but might feel compelled to grant access in order to be considered. This practice has no relevance or place in a hiring process, under ANY circumstances, and should quickly and resoundingly be stopped by the courts…