How Much Protection Do Password Protection Laws Really Provide?

Continued from previous page

Employers and their lobbyists know that password protection laws are not always in their interests, according to Philip L. Gordon, a Denver-based partner in Littler Mendelson, one of the country’s leading business-side law firms.

“There’s definitely a downside to these laws. First, the laws are completely unnecessary. There is no data to show that private employers are doing this, so we seem to have legislation looking for a problem. It almost seems like pandering,” said Gordon, who serves as chairman of the firm’s privacy and data protection practice group. A very recent survey of Littler clients showed that less than 1 percent of employers ever ask for employee passwords, he said. The small number of employers that do ask generally have sound reasons for doing so, such as financial services companies that are required by regulation to monitor the online communications of employees.

The case of companies designated as brokers or dealers in selected financial products has received serious attention by state legislators, and the laws in at least six states provide specific exemptions for them, Gordon notes. Likewise, broad exemptions from the laws are granted to employers when they are engaged in workplace “investigations” of employee misconduct or violations of the law. Employers should be careful, Gordon cautioned, not to use “investigation” as a catch-all excuse to snoop on workers, but the legitimate exemption does give the employer needed freedoms.

Collins told AlterNet he found the investigations loophole troubling. An investigation of employee misconduct presents many opportunities for mischief, or worse, by an unscrupulous boss. Littler’s Gordon indirectly confirmed Collins’ concerns. Writing about Michigan’s password law earlier this year, Gordon commented:

“While airtight at first blush...[the Michigan law] is more like a sieve upon closer scrutiny. Most importantly, the Act does not prohibit an employer from asking an employee to help the employer view content in another employee’s...personal account....Given that employees routinely report social media conduct of coworkers that violates corporate policy or is suspected to be unlawful, this limitation is critical for employers seeking to investigate an employee’s Internet misconduct....

In other words, the Michigan law, and others like it, leave bosses free to snoop on the private online accounts of workers as long as they can induce a coworker to cooperate.

Some of the problems with state level password protection laws might be solved with good federal-level legislation, Gordon and ACLU’s Bohm agreed. Although not professing any agreement on important details, they agreed a federal law would set the same basic rules for bosses throughout the country.

Sen. Richard Blumenthal (D-Conn.) took a step in that direction early last year when he introduced the Password Protection Act of 2012. The bill failed to gather any momentum, however, and expired in early 2013 without any Senate action. Gordon said he was unfamiliar with the specifics of Blumenthal’s bill, but that employers would be wise to support a federal law as long as it specifically pre-empted state laws. Bohm said the ACLU was generally supportive of Blumenthal’s approach, and would work with congressional supporters to strengthen worker privacy protections in any new version that might be introduced.

In an email message to AlterNet, Blumenthal said this week that he intends to re-introduce his legislation in August or September:  “I intend to reintroduce this important legislation because employers seeking access to passwords or confidential information on social networks, email accounts, or other protected Internet services is an unreasonable and intolerable invasion of privacy. With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information. This legislation would ensure that employees and job seekers are free from these invasive and intrusive practices.”