Maryland’s bill, HB 364, Md. H.B. 364 was introduced in January 2012. 

Gov. Martin O’Malley, on May 2, 2012, signed S.B. 433, a bill prohibiting employers from requesting the social media passwords or accessing the social media accounts of prospective and current employees, making Maryland the first state to pass such a law.

The new provision, which will take effect Oct. 1, 2012, bars employers from requesting or requiring that an employee or applicant for employment disclose any user name, password or other means to access a “personal account or service” through an electronic communications device.

“Employer” means a person engaged in a business, an industry, a profession, a trade or other enterprise in the state, or a unit of state or local government, and includes “an agent, a representative and a designee of the employer.”

The bill does not define personal account or service, but does define “electronic communications device” to mean “computers, telephones, personal digital assistants, and other similar devices.” The bill, however, allows employers to make such a password or username request to access “nonpersonal accounts or services that provide access to the employer’s internal computer or information systems.”

Covered employers also “may not discharge, discipline or otherwise penalize or threaten to discharge, discipline or otherwise penalize” an employee or applicant for refusing to disclose any information covered by the law. Further, employers “may not fail or refuse to hire” any applicant because he or she refused to disclose any covered information.

The Maryland law would prohibit an employee from making unauthorized downloads of “employer proprietary information or financial data to an employee’s personal website, an Internet website, a web-based account, or a similar account.” However, based on receipt of information of unauthorized downloading, an employer is not prevented from investigating an employee’s actions.

Finally, an employer is not prevented from conducting an investigation based on the receipt of information about an employee’s use of a personal web or similar account for business purposes to ensure compliance with applicable securities or financial law or regulatory requirements.

Similar legislation is pending in California, Illinois, New York, Michigan, Minnesota, Missouri, South Carolina and Washington. In addition, Rep. Eliot Engel, D-N.Y., has introduced federal legislation—the Social Networking Online Protection Act—which would prohibit asking for the social media passwords of employees or applicants. 

The Maryland bill is similar to the Illinois bill in that it says employers may not “require an employee or applicant for employment to disclose any user name, password, or other means for accessing any Internet site or electronic account through an electronic device.” HB 364, supra.  In addition, however, the bill has an anti-spyware provision.  It states that an employer may not “require an employee to install on the employee’s personal electronic device software that monitors or tracks the content of the electronic device.” Id. The Illinois bill has no similar provision.

The Maryland bill also prohibits an employer from failing or refusing to hire an employment applicant because of an applicant’s refusal to disclose login information or permit spyware to be installed on a personal device.  In addition, the bill protects existing employees in that it bars employers from discharging, disciplining, or otherwise penalizing an employee for refusing to disclose login information or to permit spyware on personal devices. See id.

The Maryland bill, however, has a carve out for login credentials for the employer’s own systems.  “An employer may require an employee to disclose any user name, password, or other means that provide access to the employer’s internal computer or information systems.” Id.  Although it could be clearer, this language presumably covers both an employer’s networks as well as its devices, such as an employer-provisioned computer.