Resist the Urge to Access: the Impact of the Stored Communications Act on Employer Self-Help Tactics

07 October 2019

As an employer or manager, have you ever collected a resigning employee’s employer-owned laptop or cellphone and discovered that the employee left a personal email account automatically logged in? Did you have the urge to look at what the employee was doing and who the employee was talking to right before resigning? Perhaps to see if he or she was talking to your competitors or customers? If so, you should resist that urge.

The federal Stored Communications Act, 18 U.S.C. § 2701, et seq., is a criminal statute that makes it an offense to “intentionally access[ ]without authorization a facility through which an electronic communication service is provided[ ]and thereby obtain[ ] . . . access to a[n] . . . electronic communication while it is in electronic storage . . . .” It also creates a civil cause of action for victims of such offenses, remedied by (i) actual damages of at least $1,000; (ii) attorneys’ fees and court costs; and, potentially, (iii) punitive damages if the access was willful or intentional.

So how does this criminal statute apply in a situation in which an employee uses a personal email account on an employer-owned electronic device—especially if an employment policy confirms there is no expectation of privacy on the employer’s computer systems and networks? The answer is in the technology itself.

Many courts find that the “facility” referenced in the statute is the server on which the email account resides—not the company’s computer or other electronic device. In one 2013 federal case, a former employee left her personal Gmail account automatically logged in when she returned her company-owned smartphone. Her former supervisor allegedly used that smartphone to access over 48,000 emails on the former employee’s personal Gmail account. The former employee later sued her former supervisor and her former employer under the Stored Communications Act. The defendants moved to dismiss the claim, arguing, among other things, that a smartphone was not a “facility” under the statute.

While agreeing with that argument in principle, the court concluded that it was, in fact, Gmail’s server that was the “facility” for purposes of Stored Communications Act claims. The court also rejected the defendants’ arguments (i) that because it was a company-owned smartphone, the employee had in fact authorized the review, and (ii) that the former employee was responsible for any alleged loss of privacy, because she left the door open to the employer reviewing the Gmail account.

Similarly, in a 2017 federal case, a former employee sued her ex-employer for allegedly using her returned cell phone to access her Gmail account on at least 40 occasions. To assist in the prosecution of a restrictive covenant claim against the former employee, the former employer allegedly arranged to forward several of those emails to the employer’s counsel, including certain allegedly privileged emails between the former employee and her lawyer. The court denied the former employer’s motion to dismiss the claim based on those allegations.

Interestingly, some courts, including both in the above-referenced cases, draw a line on liability under the Stored Communication Act based on whether the emails that were accessed were already opened at the time of access. This line of reasoning is premised on a finding that opened-but-undeleted emails are not in “storage for backup purposes” under the Stored Communications Act. But this distinction is not universal.

In another 2013 federal case, for example, an individual sued his business partner under the Stored Communications Act after the defendant logged on to the other’s Yahoo account using his password. A jury trial resulted in a verdict for the plaintiff on that claim, and the defendant filed a motion for judgment as a matter of law. The defendant argued that she only read emails that had already been opened and that they were therefore not in “electronic storage” for “purposes of backup protection.” The court disagreed, stating that “regardless of the number of times plaintiff or defendant viewed plaintiff’s email (including by downloading it onto a web browser), the Yahoo server continued to store copies of those same emails that previously had been transmitted to plaintiff’s web browser and again to defendant’s web browser.” So again, the court read the Stored Communications Act broadly, stating that “the clear intent of the SCA was to protect a form of communication in which the citizenry clearly has a strong reasonable expectation of privacy.”

Based on the broad reading of the Stored Communications Act in which many courts across the country engage, employers and managers are well advised to exercise caution before reviewing an employee’s personal communications that may be accessible on a company electronic device. Even policies informing employees not to expect privacy on company computer systems and networks may not save the employer or manager from liability under the statute. So seek legal counsel if this opportunity presents itself upon an employee’s separation from the company. And resist the urge to access before doing so.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Resist the Urge to Access: the Impact of the Stored Communications Act on Employer Self-Help Tactics

Related Insights

A Trial Lawyer’s Trial Lawyer: Paul Callan On Trial

New Favorable OIG Advisory Opinion Allows Patient Assistant Programs Funded by Drug Manufacturers

FDA Continues to Take Stance That it Will Not Issue CBD Rules