The Just-Signed New Jersey Law
On Thursday August 29, New Jersey Governor Chris Christie signed revised legislation, namely A.B. 2878, which, among other restrictions, forbids employers to ask applicants or employees for their social-media or other online logins/passwords. A few months back, on May 6, Gov. Christie had conditionally vetoed a prior iteration of the bill, asking that it not rein in employers so much.
For example, the Governor sought — and ultimately obtained by an August 19 unanimous vote — amednments that would allow employers to conduct various types of investigations and not prohibit “an employer interviewing a candidate for a marketing job . . . from asking about the candidate’s use of social networking so as to gauge the candidate’s technological skills and media savvy.”
Similar Laws in Force in a Dozen Other States
New Jersey joins the following 12 other states that have enacted similar bans during since May 2, 2012:
— Already in force:
Michigan; New Mexico; Utah; Vermont; and Washington
— Taking effect soon:
Some of those states’ statutes contain very broad prohibitions. Others, like Michigan’s and New Jersey’s, grant employers some exceptions, usually encompassing workplace investigations.
Delaware has also enacted an analogous ban, which, although not directed at employers, focuses on universities vis-a-vis students.
For a very good recent article on the various approaches the states have taken, see Philip L. Gordon and Joon Hwang, Making Sense of the Complex Patchwork Created by Nearly One Dozen New Social Media Password Protection Laws, Workplace Privacy Counsel (July 2, 2013).
Controversy re: These Login/Password Bans
The wave of state legislation in this context is a privacy victory for employees, job seekers and/or students. But, from the management perspective, many have criticized the stricter of these laws as addressing a discrete (non-)issue with a blunt instrument approach. See, e.g., Molly DiBianca, Michigan Enacts Social-Media Privacy Law, Delaware Employment Law Blog (Dec. 30, 2012).
Others have noted that a greater priority should be a modernization of the federal Electronic Communications Privacy Act (“ECPA”). Behnam Dayanim, Employee Privacy Forces Legislation, Recorder (Aug. 8, 2012) (“these ‘bullet bills’ … represent a missed opportunity both to update the SCA to reflect today’s technology and to re-engage . . . over the broader policy questions.”) (LEXIS ID and password needed).
Indeed, the federal Stored Communications Act (SCA) — Title II of the ECPA — of is sorely in need of an update as its outdated provisions do not come close to addressing modern technology and 21st century methods of electronic communications. The SCA was passed in 1986 to try to address that new-fangled technology known as voicemail.
The only amendment to the SCA since its 1986 inception was via the USA PATRIOT Act, hastily passed just weeks after 9-11 to make it easier for prosecutors to obtain from Internet Service Providers the missives of potential terrorists. The SCA’s sister provision, the Wiretap Act — now Title I of the Electronic Communications Privacy Act (ECPA) — has barely been changed since way back in 1968, when wiretapping on phone calls was the primary concern.
Note, though, that the SCA has been interepreted many times by various federal courts to criminalize and provide civil damages for anyone who illictly obtains an individual’s login credentials and then accesses a password-protected online environment. See Robert D.Brownstone, eWorkplace II White Paper (Apr. 3, 2012), at 19-20 (.pdf pp. 24-25).
But see also this brand new piece, Philip L. Gordon, New Jersey Court’s Decision Provides Roadmap For Access To Employees’ Restricted Social Media Content, Workplace Privacy Counsel (Aug. 27, 2013), which addresses a recent decision in a case whose prior opinion was discussed in Venkat Balasubramani, Accessing an Employee’s Facebook Posts by “Shoulder Surfing” a Coworker’s Page States Privacy Claim — Ehling v. Monmouth Ocean Hosp., Eric Goldman Blog (June 4, 2012).
As to a reboot of the ECPA for the 21st century, of course none of us — including our state legislators — can force Congress’ hand.
Congress Asleep at the Switch with SNOPA (why didn’t they call it “SNOOPA”?)
Speaking of Congress, don’t hold you breadth for the oft-threatened ECPA reboot. As in the notice-of-data-breach
context, the states have jumped in to fill the void in this arena because of Congress’ inaction. On the federal level, the
“Social Networking Online Protection Act” (SNOPA) was introduced in the House as H.R. 5050 on April 27, 2012 and
reintroduced on February 6, 2013. But the bill has languished with no activity since then.
Two Dozen More State Bills Pending
Approximately two dozen states have pertinent pending 2013 legislation (linking to 2012 legislation compilation).
Some of those states are considering entering the fray for the first time. Others — California, Delaware, Illinois and Maryland —
are contemplating beefing up or expanding their current provisions.
Open Issue = “Shoulder-Surfing”
Banning forced disclosure of logins/passwords has been the thrust of the pertinent statutes so far. Thus, some of the enacted and pending bills have been silent as to the related practice of “shoulder-surfing” — namely, having an interviewee log into, e.g., her/his Facebook while the interviewer stands or sits behind the prospect so as to see all the private content to which the applicant is instructed to surf.
At first blush, conceptually shoulder-surfing seems quite similar to login/password access. But maybe there are differences, such as that the element of surprise might not allow an applicant the chance to “clean up” his or her social-media possts and friends/followers lists. And maybe, some ban exceptions should exist in certain public sector situations.
Apparently, cities and counties like to be able to try to sniff out whether prospective cops have relatives or friends who are gang members. On the other hand, government action intruding into individual privacy is a constitutional law concern for public agency employers.
As to the various sides and aspects of the shoulder-surfing issue, see generally: Bob Sullivan, Govt. Agencies, colleges demand applicants’ Facebook passwords, NBC News (Mar. 6, 2012). And the above-linked Gordon/Hwang piece sheds some light on which of the first 12 password-bans bans ostensibly did and did not address in-person shoulder-surfing — and on some do’s and don’ts (mostly don’ts).