Maryland's New Social Media Law Should Remind Employers to Protect Confidential Information
Keep Your Company's Proprietary Data Off the Facebook Wall
New legislation recently enacted in Maryland will make it unlawful for employers to request or require employees or job applicants to provide user names or passwords relating to personal email or social media platforms.
Under the new law, which Governor Martin O’Malley signed on May 2, 2012, and which becomes effective on October 1, 2012, employers also are prohibited from taking adverse action against employees or applicants who refuse or fail to provide such social media or email login information. Although Maryland is the first state to adopt this type of social media legislation, a number of other states, including California, Illinois, New York and Washington, are considering similar laws. As a result, employers across the country should be aware of the potential implications for their businesses.
Although social media advocates and other observers might hail this new law for its employee protection and privacy rights, the law contains several important exemptions that appropriately take into account the legitimate concerns employers have relating to their confidential and proprietary information and general company operations. Specifically:
- if an employer receives information that an employee has used personal social media or email accounts for the employer’s business purposes, it may conduct “an investigation for the purpose of ensuring compliance with applicable securities or financial law, or regulatory requirements”
- if the employer receives information regarding the “unauthorized downloading” of its proprietary or financial information on or to an employee’s personal social media or email account, it may conduct an appropriate investigation1
- an employer may require an employee to disclose any user name, password or other means for accessing nonpersonal (i.e., employer-owned) internal computer or information systems
What Employers Need to Know
From an employer’s or management’s perspective, the exemptions in this new social media law relating to an employee’s “unauthorized downloading” or accessing of “proprietary” or “nonpersonal” information highlight the importance of creating and enforcing comprehensive policies regarding your company’s confidential and proprietary information. Such policies should also define and clarify what information is “employer-owned.” In addition, they should define what is “unauthorized” access to company information and include protective provisions addressing employees who work remotely and how company data will be accessed, transferred, controlled and owned in off-site situations. The new law also reinforces the need for employers to have non-disclosure/confidentiality agreements (and other restrictive covenants where appropriate) in place with their workforce.
The consequences of failing to have clear and consistent confidentiality and information management policies are significant. If, for example, an employer lacks policies or agreements regarding the protection and ownership of its data, information and materials, an employee who improperly transfers company data to a personal account or Facebook page could assert that the transfer of such information was not “unauthorized.” Given that the new Maryland law allows an investigation of “unauthorized downloading,” such an employee claim, if credible, might undermine the employer’s ability under Maryland law to demand access to the employee’s personal and social media account information where the company data now resides.
This is not to say that the company could not obtain access to the employee’s information or subject the employee’s computer activity to forensic analysis in discovery if litigation ensued under a trade secret or related misappropriation claim. But the new law certainly creates an investigation obstacle out of the gate for the company that fails to implement workplace policies and agreements to protect its confidential data, information and materials and plainly establish what constitutes “unauthorized” use or downloading of such information. Also, by the time litigation has begun, the company data could have been shared with an even larger Facebook or Twitter audience.
One Uncertainty of the Maryland Law
An additional, noteworthy uncertainty arising from this new law is that while the law expressly prohibits what an employer may do concerning an employee’s personal account, the law does not expressly create a private cause of action allowing an aggrieved employee to sue the employer alleging a violation of the statute. As a result, it is unclear whether aggrieved employees may be able to assert a claim for wrongful or abusive discharge under this law. This uncertainty further reinforces the need to have clear and protective policies in place authorizing the company to act in the event its internal data become some of the most popular items on Facebook or Twitter.
1 With respect to the “investigation” exemptions under this new law, it remains unclear on the face of the statute whether a company may actually request or require those subject employees to provide personal user name and password information in connection with such an investigation.