By Erin Dougherty Foley and Lily Strumwasser

A recent study commissioned by Microsoft Corporation found that nearly 80 percent of individuals hiring and recruiting use the Internet to investigate candidates. A major news network indicated that more than 77 percent of employers find information about candidates online, and 35 percent have dismissed candidates based on these findings. At first blush, looking at an applicant’s social media content makes sense – after all, with just a few clicks of the mouse you can find out all sorts of revealing information about job applicants. However, there are also several legal risks associated with viewing applicants’ social media profiles.

 Social Media Surfing Creates Risks For Employers

Social media surfing can open the door to potential claims under Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act (ADA), the Age Discrimination in Employment Act (ADEA), and various state laws. It is easy to see how applicants or employees could post pictures or information describing their race, color, religion, sex, national origin, disability, age, sexual preference, or genetics on their social media accounts. For example, a woman may post pictures of her seven children on her Facebook page.  Someone else could post pictures celebrating a 50th birthday. Another applicant may have photos of excessive drinking. Employers that make employment decisions based on such pictures risk running afoul of not only state and federal discrimnation statutes, i.e. sex, age, perceived disability discrimination, but also various state laws that prohibit adverse employment actions based on otherwise legal conduct.

Even if employers do not make hiring decisions based on online content, they may still face discrimination lawsuits. The applicant could easily point to the employer’s practice of viewing the applicant’s social media pages to prove constructive knowledge of the applicant’s protected status and the employer’s discriminatory intent. At the very least, this presumption could create liability if a lawsuit is filed. Plaintiffs can also use evidence of discriminatory intent to extract large settlements or awards if their case is taken to trial.  

Requesting Social Media Passwords – It’s A Bad Idea

There are a handful of reported instances where employers have gone a step further than simply Googling a job applicant. For example, in 2012, during an employee’s recertification interview, an employer asked the employee for the password to his Facebook account. The employee was allegedly forced to sit and watch as the interviewer accessed his Facebook account and reviewed his profile. The story went viral. The public launched salvos of complaints and legislators across the nation rushed to put new laws in motion.

Since our last blog post on password protection laws, New Jersey joined Arkansas, California, Colorado, Illinois, Maryland, Michigan, Nevada, New Mexico, Oregon, Utah, Vermont, and Washington in prohibiting employers from requesting social media passwords. These bills attracted broad, bipartisan support. Thirty-six additional states have introduced similar legislation or have legislation pending. Although unique to each state, in general, each law prohibits employers from requesting passwords to employees’ or applicants’ personal social media accounts.


If your company is located in a state shaded green in the map above, asking applicants or employees for their social media passwords is illegal. If your company is located in a state shaded blue in the map above, legislation is pending that may make asking for private login information illegal. 

Best Practices For Employers

Social media is here to stay. Employers utilizing social media will inevitably face the good, the bad and the ugly. Make sure all your boxes are checked when it comes to new laws surrounding employers’ use of social media:

  •  Update Social Media and Password Policies:  Create a written formal policy that clearly states that managers, supervisors, and human resource staff cannot request applicants’ or employees’ social media passwords. Play it safe and protect your company by implementing a policy; have it reviewed by your lawyer; consistently enforce it; and include it in the company handbook.
  • Keep Employees Informed Through Training Sessions:  Employers should reinforce these policies with training. Employees will more likely follow the company policy if they understand the potential legal risk. Employers can deliver training through formal meetings or through e-mails notifying employees of the updated policy and the reasoning behind it. Employers should also remind employees about company policies and enforce them consistently.
  • Understand Local Laws:  In general, states that have enacted social media legislation restrict employers from requesting usernames and passwords for social networking sites. However, there are subtle inconsistencies among the states’ laws. These differences typically turn on the types of social media the law covers, the nature of the prohibited conduct, and the exceptions to the prohibitions. Companies that conduct business in more than one state should be aware of these differences to avoid running afoul of state law. 

For more information about the business and legal implications surrounding phishing on employees social media accounts or your state’s social media law(s) and how it might impact your company, please click HERE to check out the authors’ recent article published in the Federal Lawyer Magazine, or contact a member of Seyfarth’s Social Media and Privacy Team.