Representatives Reintroduce Password Protection Act
May 21, 2013. Rep. Ed Perlmutter (D-CO), Rep. Peter Welch (D-VT), and others introduced HR 2077 [LOC | WW | PDF], the "Password Protection Act of 2013", a bill that would amend 18 U.S.C. § 1030 to bar employers, under certain circumstances, from compelling the disclosure by their employees or job applicants of passwords for their own computers, e-mail accounts and social media accounts.
Rep. Welch (at right) stated in a release that "Employees have a legitimate expectation of privacy when using Facebook or Twitter. This legislation will prevent fishing expeditions into employees' private lives. While an employer may have a valid concern about the business impact of an employee’s online activity, demanding passwords and unfettered access to private accounts is an over-the-top solution."
Rep. Perlmutter stated in a release that people "have an expectation that their right to free speech and religion will be respected when they use social media outlets. Both users of social media and those who correspond with the user share an expectation of privacy in their personal communications. Without this protection, employers essentially can act as imposters and assume the identity of an employee and continually access, monitor and even manipulate an employee's personal social activities and opinions."
This bill is a reintroduction of HR 5684 [LOC | WW] and S 3074 [LOC | WW], companion bills in the 112th Congress, titled the "Password Protection Act of 2012". Those bills were referred to the House Judiciary Committee (HJC) and Senate Health, Education, Labor, and Pensions Committee (SHELPC), respectively. However, neither Committee took any action on those bills in the 112th Congress.
Subsection 1030(a) currently contains seven numbered prohibitions, some of which contain multiple parts. The just introduced bill would add an eighth prohibition. An employer would be prohibited from demanding that its employees or prospective employees disclose passwords or other information that would enable access to their accounts at social networking websites, but only if the employer engages in monitoring for employment related purposes. This bill would leave employers free to demand passwords for other purposes. It would amend Section 1030(a) to provide as follows:
"(a) Whoever ... (8) acting as an employer, knowingly and intentionally---
(A) for the purposes of employing, promoting, or terminating employment, compels or coerces any person to authorize access, such as by providing a password or similar information through which a computer may be accessed, to a protected computer that is not the employer’s protected computer, and thereby obtains information from such protected computer; or
(B) discharges, disciplines, discriminates against in any manner, or threatens to take any such action against, any person---
(I) for failing to authorize access described in subparagraph (A) to a protected computer that is not the employer’s protected computer; or
(ii) who has filed any complaint or instituted or caused to be instituted any proceeding under or related to this paragraph, or has testified or is about to testify in any such proceeding;
shall be punished as provided in subsection (c) of this section."
Nothing in this bill would subject an employer to prosecution who demands passwords, thereby obtains information, and reports criminal violations to state or federal prosecutors, but does not take employment related action itself.
For example, if this bill were enacted, an employer could demand employees' personal passwords; it could monitor their use of social networking sites and email services; and, if it found evidence of criminal copyright infringement, criminal theft of the employer's trade secrets, or other crimes, it could report such evidence to prosecutors; provided that this employer does not fire, discipline, or take employment related action itself against a monitored employee.
(Published in TLJ Daily E-Mail Alert No. 2,566, May 23, 2013.)