The Connecticut General Assembly’s Labor & Public Employee Committee today is considering drafting a proposed bill “to prevent current or potential employers from requesting or requiring that employees or potential employees provide passwords to their personal accounts as a condition of their employment.”

I won’t mince words. Proposed Senate Bill 159 is a bad idea. 

It’s a solution in search of a non-exisitent problem and ultimately it would have serious ramifications for employers in Connecticut.

Ohio is currently considering the same type of bill and Jon Hyman, from the Ohio Employer’s Law Blog, neatly summarized the reasons why this remains a bad idea.  Here are two of them which are directly applicable to Connecticut:

  • It contains no exceptions for internal investigations. Suppose, for example, Jane Doe reports that a co-worker is sending her sexually explicit messages via Facebook. You have an absolute duty under both Title VII and [state] employment discrimination statute to investigate and take whatever remedial action is necessary to ensure that any misconduct ends. Yet, this bill would prohibit you from even asking the accused to provide access to his Facebook account as part of your investigation.
  • It contains no exceptions for regulated industries. For example, registered representatives have special rules that dictate what they can or cannot say to clients and prospective clients via social media. FINRA requires employers to track and maintain records of the communications between registered reps and the public. Yet, this bill would prohibit a securities firm from requiring its registered reps to turn over these communications. It would also prohibit the firm from even asking for access to a rep’s social media account to investigate a customer complaint or regulatory issue.

I’m not advocating employers ask their employees for their passwords on a routine basis.  It’s poor human resources practice.  But what Connecticut doesn’t need is another knee-jerk piece of legislation that will do much more harm than good.

The bill already received a preliminary thumbs up in the committee a few weeks ago.  The CBIA has opposed it and suggested very narrow language to address whatever concerns are there.

Let your local legislator know that this bill should go no further in its current format.

  • I have to respectfully disagree with this post. While employers might have a duty to investigate, they certainly would not have a right to search my home or view material on my encrypted personal cell phone without a warrant. As a matter of public policy, I don’t see how a duty to investigate and this protection would be incompatible. The statute would merely make it clear that the duty does not include demanding someone’s password. In these cases I think I would certainly feel more comfortable having a judge serve as a neutral decision maker in whether or not to open up a personal account over an employer, whose level of discretion and sophistication will vary highly based on the company. 

    Regulated industries might be a slightly different can of worms, but my reading of the brief language does not include a prohibition on asking for copies of communications made between registered reps and the public via social media, it merely prohibits asking for the password and allowing the employer carte blanche ability to go through the social media account. In the context of a person in a regulated industry, I again think that the kind of wide reaching search capability provided by being able to demand a personal account password is too large. It is better to leave it to the regulators.

    Finally having access to someone’s personal accounts is a liability minefield. The Internet, for better or worse, treats a Facebook or Google account as its verified ID card. The use of facebook or gmail means you would have the ability to impersonate someone on the Internet completely, and access and utilize their credit cards and paypal account. 

    One other thing to consider: the rather broad Computer Fraud and Abuse Act provides persons a remedy in civil action for compensatory damages and injunctive relief in relation to crimes committed on a computer. It states that liability attaches under the Act for whoever:

    (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602 (n) [1] of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);(B) information from any department or agency of the United States; or(C) information from any protected computer;While plaintiff counsel might concede that providing password means he authorized access, without proper waiver a crafty plaintiff might argue that the level of permission granted was clearly exceeded, and if his employment was terminated causing him to lose money, or some kind of information is released that leads to economic damages, that is the civil suit ball game under my reading of the CFAA. Now I don’t have access to LEXIS but consider this footnote from Wikipedia:Theofel v. Farey Jones, 2003 U.S. App. Lexis 17963, decided August 28, 2003 (U.S. Court of Appeals for the Ninth Circuit), holding that the use of a civil subpoena which is “patently unlawful,” “in bad faith,” or “at least gross negligence” to gain access to stored email is a breach of both the CFFA and the Stored Communications Act.[4]The CFAA wikipedia page is,Matt