House and Senate Bills Would Affect Employer Demands for Employees' Personal Passwords
May 9, 2012. Sen. Richard Blumenthal (D-CT) and other Senate Democrats introduced S 3074 [LOC | WW], the "Password Protection Act of 2012", a bill that pertains to employers' practice of demanding and using employees' personal passwords.
On the same day, Rep. Martin Heinrich (D-NM) and other House Democrats introduced HR 5684 [LOC | WW], the companion bill in the House.
The Senate bill was referred to the Senate Health, Education, Labor, and Pensions Committee. The House bill was referred to the House Judiciary Committee (HJC).
The list of sponsors of each bill is notable for the absence of Republicans. The list for the House bill is also notable for its lack of members of the HJC.
These two bill are substantially identical. They would amend 18 U.S.C. § 1030, the "Computer Fraud and Abuse Act", which is the primary federal anti-hacking statute.
Subsection 1030(a) currently contains seven numbered prohibitions, some of which contain multiple parts. The just introduced bills would add an eighth prohibition. An employer would be prohibited from demanding that its employees or prospective employees disclose passwords or other information that would enable access to their accounts at social networking websites, but only if the employer engages in monitoring for employment related purposes.
The bill is directed at employees' use of social networking sites and e-mail sites. Although, it does not use the terms "social networking" or "email". Moreover, it would also provide employees some privacy in using web sites that enable the unauthorized sharing of copyrighted works, and pornography.
The original cosponsors of the bill are Sen. Charles Schumer (D-NY), Sen. Amy Klobuchar (D-MN), Sen. Ron Wyden (D-OR), Sen. Jeanne Shaheen (D-NH), Sen. Daniel Akaka (D-AK), and Sen. Bernie Sanders (D-VT).
The original cosponsors of the House bill are Rep. Ed Perlmutter (D-CO), Rep. Bobby Rush (D-IL), Rep. Jim Cooper (D-TN), Rep. Lois Capps (D-CA), Rep. Larry Kissell (D-NC), Rep. David Cicilline (D-RI), Del. Eleanor Norton (D-DC), Rep. John Lewis (D-GA), Rep. Ben Ray Lujan (D-NM), Rep. Steve Rothman (D-NJ), and Rep. Adam Schiff (D-CA).
Sen. Blumenthal stated in a release that "Employers seeking access to passwords or confidential information on social networks, email accounts, or other protected Internet services is an unreasonable and intolerable invasion of privacy ... With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information."
Sen. Wyden stated in this release that "Online privacy lives and dies with your password, and being forced to surrender this level of protection to an employer for fear of retribution is bullying, plain and simple. The online password protects your social life, personal information and often your bank accounts and no employer should be able to demand that this information be turned over".
Sen. Klobuchar stated that "No person should be forced to reveal their private online communications just to get a job. This is another example of making sure our laws keep up with advances in technology and that fundamental values like the right to privacy are protected."
However, the Senators' rhetoric is broader than the actual reach of the bill. The bill would not reach all employers. It would not prohibit demanding and using employees' personal passwords. It would only prohibit this activity if used for certain enumerated purposes.
As amended by S 3074 and HR 5684, the statute would provide as follows:
"(a) Whoever ... (8) acting as an employer, knowingly and intentionally---
(A) for the purposes of employing, promoting, or terminating employment, compels or coerces any person to authorize access, such as by providing a password or similar information through which a computer may be accessed, to a protected computer that is not the employer’s protected computer, and thereby obtains information from such protected computer; or
(B) discharges, disciplines, discriminates against in any manner, or threatens to take any such action against, any person---
(i) for failing to authorize access described in subparagraph (A) to a protected computer that is not the employer’s protected computer; or
(ii) who has filed any complaint or instituted or caused to be instituted any proceeding under or related to this paragraph, or has testified or is about to testify in any such proceeding;
shall be punished as provided in subsection (c) of this section."
These bills do not contain a complete ban on demanding passwords. Rather, they would merely ban demanding passwords, accessing the web sites, and using material found for employment related purposes, such as in deciding whether or not to employ, fire, promote, or discipline someone.
Nothing in these bills would subject an employer to prosecution who demands passwords, thereby obtains information, and reports criminal violations to state or federal prosecutors, but does not take employment related action itself.
For example, if these bills were enacted, an employer could demand employees' personal passwords; it could monitor their use of social networking sites and email services; and, if it found evidence of criminal copyright infringement, criminal theft of the employer's trade secrets, or other crimes, it could report such evidence to prosecutors; provided that this employer does not fire, discipline, or take employment related action itself against a monitored employee.
That is, this bill would leave employers free to snoop for the FBI, IRS, or any prosecutor, but not for its own personnel management purposes.
This follows from the language of the proposed new prohibition. However, this is restated in an express exemption. The bills provide that "Notwithstanding subsection (a)(8), the prohibition in such subsection shall not apply to an employer’s actions if ... the employer discharges or otherwise disciplines an individual for good cause and an activity protected under subsection (a)(8) is not a motivating factor for the discharge or discipline of the individual".
These bills would not take away an employer's ability to demand and use employees' personal passwords. It would only take away the employer's ability to use acquired information for certain purposes. However, this would decrease the incentives for demanding passwords, and monitoring web sites. And therefore, this bill would decrease the frequency with which employers would demand passwords and monitor web sites.
The bill also builds in additional exceptions. For example, the definition of "employer" references another statute, which defines "employer" to mean only an employer "engaged in an industry affecting commerce who has fifteen or more employees". The words "commerce" and "fifteen" would each exclude many actual employers.
The bills also include express exemptions for certain government employers.
See also, stories titled "Maryland Senate Passes Bill to Protect Employee Passwords for Social Media" in TLJ Daily E-Mail Alert No. 2,370, April 13, 2012, and "House Rejects Motion Pertaining to Employer Demands for Employee Passwords for Social Networking Sites" in TLJ Daily E-Mail Alert No. 2,361, March 30, 2012.