Can a company snoop on its employee’s personal email account?

email snoop

Plaintiff was an administrative assistant at defendant company. When her supervisor got word that plaintiff had been asked to join a competing company started by some other former company employees, the supervisor allegedly logged onto plaintiff’s work computer and without authorization accessed plaintiff’s Gmail account to get more information confirming plaintiff’s plans. Plaintiff was later terminated.

So she sued under the federal Stored Communications Act (“SCA”) and the Federal Wiretap Act (under a part of that act often called the Electronic Communications Privacy Act (“ECPA”)). Defendant moved to dismiss both the claims. The court denied the motion to dismiss the SCA claim but dismissed the ECPA claim.

The SCA prohibits, among other things, the intentional unauthorized access of a “facility through which an electronic communication service is provided”—thereby obtaining access to an electronic communication while in electronic storage. 18 U.S.C. § 2701(a). A court may award actual damages, statutory damages, and punitive damages for violation of the SCA. If a plaintiff seeks statutory damages under the SCA, it must prove actual damages. But one need not prove actual damages to recover punitive damages. The ECPA prohibits, among other things, the “interception” of electronic communication. 18 U.S.C. § 2511(a). Courts have generally held that such “interception” must be contemporaneous with transmission.

The court held plaintiff could move forward with her SCA claim even though she had not pled actual damages. She had sufficiently pled that she should be awarded punitive damages. And the court tossed the ECPA claim because the facts as alleged showed that the email messages the employer allegedly accessed had already been delivered and therefore were not intercepted as the statute requires for liability.

Benz v. PHB Realty Co., 2022 WL 3098579 (D. Kansas, August 4, 2022)

See also:

Can a party recover statutory damages under the Stored Communications Act without proving actual damages?

The Stored Communications Act (18 USC 2701 et seq.) is among the most powerful tools relating to email privacy. It is a federal statute that prohibits, in certain circumstances, one from intentionally accessing without authorization, or exceeding authorized access to, a facility through which an electronic communication service is provided. The statute provides criminal penalties and an aggrieved party can bring a civil suit for damages in certain cases.

The statute contains a provision that addresses the amount of money damages a successful plaintiff can recover. Section 2707(c) provides the following:

Damages. The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.

Note the phrase “but in no case shall a person entitled to recover receive less than the sum of $1,000.” Does that mean every plaintiff that successfully proves the defendant’s liability is entitled to at least $1,000, regardless of whether there was any actual damage that occurred? The Fifth Circuit Court of Appeals recently addressed that question in the case of Domain Protection, L.L.C. v. Sea Wasp, L.L.C. It held that one must show at least some actual damages before being entitled to the minimum of $1,000.

The court looked to the Supreme Court’s approach in addressing nearly identical language in another statute, wherein SCOTUS concluded that “person entitled to recover” refers back to the party that suffers “actual damages.” Doe v. Chao, 540 U.S. 614, 620, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004). And it noted that two other circuits have held that this reasoning should apply to the same terms in the Stored Communications Act: Vista Mktg., LLC v. Burkett, 812 F.3d 954, 964–75 (11th Cir. 2016) and Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199, 204–208 (4th Cir. 2009). The court “endorse[d] the reasoning of those opinions and [saw] no need to repeat it.”

Domain Protection, L.L.C. v. Sea Wasp, L.L.C., — F.4th —, 2022 WL 123408 (5th Cir. January 13, 2022)

Money for pain and suffering because your email was hacked?

pain and suffering email hack

Plaintiff and defendant worked together doing real estate appraisals. Defendant accessed plaintiff’s email account without authorization and was later found liable for violating the federal Stored Communications Act. When it came time to assess damages, plaintiff asked for $150,000 for the pain and suffering he endured because of the email access. He alleged that he suffered mental decline, began drinking a lot and had troubles with his marriage.

The court was sympathetic to plaintiff’s “very real difficulties” but found that the amount he was seeking bore “an outsized relationship to the actual offense.” From the court’s opinion:

[Defendant], on one occasion, committed a targeted SCA offense. [Defendant] searched solely for emails related to [plaintiff’s] disparagement of [defendant] and printed four of them. Immediately, [plaintiff] learned of the breach and quickly put security measures in place to prevent further unauthorized access. Because the offense was objectively narrow in scope, the Court credits that [plaintiff] suffered a brief period of emotional harm related to the offense. The original intrusion was startling and, no doubt, produced some anxiety during the time it took [plaintiff] to protect his privacy by installing computer security software, changing passwords, and contacting his internet service provider who assured him they had taken “care of everything.”

The court ended up awarding plaintiff $1,000 for his pain and suffering tied to the breach.

Skapinetz v. CoesterVMS, Inc., 2021 WL 1634712 (D.Md. April 27, 2021)

Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Can an LLC member violate the Stored Communications Act by accessing other members’ email?

Yes.

Two members of an LLC sued another member and the company’s manager of information services alleging violation of the Stored Communications Act, 28 U.S.C. 2701 et seq. Defendants moved to dismiss for failure to state a claim. The court denied the motion.

Plaintiffs alleged that the LLC’s operating agreement required “Company decisions” to be made based on four of the five members voting in favor. The company had no policy in place authorizing the search and review of employees’ email messages, nor did it inform employees that their email may be accessed. Plaintiffs did not consent to their emails being searched and reviewed.

In connection with a dispute among the LLC members, one of them allegedly (in cooperation with the manager of information services) accessed the company’s email server using administrative credentials. She allegedly performed over 2,000 searches, retrieving other members’ communications of a personal nature, as well as communications with those members’ legal counsel.

Defendants moved to dismiss under 12(b)(6), arguing that plaintiffs could not show the access was unauthorized. Defendants argued that there was no electronic trespass, as the access was accomplished simply by company procedure.

The court rejected defendants’ arguments, finding that plaintiffs had sufficiently alleged an SCA violation, since plaintiffs had not consented to the access, and because no policy existed permitting an individual to search and review emails of members or employees absent the four-fifths approval required by the operating agreement.

Joseph v. Carnes, 2013 WL 2112217 (N.D.Ill. May 14, 2013)

Class action against Path faces uphill climb

Hernandez v. Path, Inc., 2012 WL 5194120 (N.D.Cal. October 19, 2012)

uphill path

Earlier this year plaintiff filed a class action lawsuit against photo app provider Path, alleging ten claims relating to Path’s alleged surreptitious collecting of mobile device address books and installation of tracking software. Path moved to dismiss the lawsuit for lack of standing and for failure to state a claim. The court held that plaintiff had standing to pursue the case, but dismissed some of the claims.

Standing

The court found that alleged depletion of “two to three seconds of battery capacity” was de minimus and thus not sufficient to support the injury-in-fact plaintiff was required to show. Citing to the fairly recent case of Krottner v. Starbucks, the court found that the hypothetical threat of future harm due to a security risk to plaintiff’s personal information was insufficient to confer standing. The only basis on which the court found there to be a sufficient claim of injury to support standing was the (hard to believe) claim by plaintiff that he would have to spend $12,500 to pay a professional to remove the Path app and related data from his phone.

The Dismissed Claims

The court dismissed for failure to state a claim (with leave to amend) plaintiff’s claims under the Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), California wiretapping statute, state common law privacy, conversion and trespass.

ECPA and California Wiretapping Statute Claim. The court dismissed the ECPA and California Wiretapping Statute claims, finding that the complaint did not allege that Path intercepted any communication contemporaneous with its transmission. At best (from plaintiff’s perspective), it appears that Path gathered information on social networking sites after it was transmitted. And the uploading of the address books does not appear to have qualified as a communication under these statutes.

SCA Claim. The SCA claim failed “on multiple fronts.” Plaintiff was not a provider of electronic communication services and his iPhone was not a facility through which such service was provided. So Path’s alleged access did not come within the prohibition of the SCA. Moreover, the address books were not communications to which the SCA applied, because they were not in “electronic storage” as defined by the SCA, namely, being in temporary, intermediate storage incidental to their electronic transmission. (We see a similar issue in the recent Jennings case from South Carolina.)

State Common Law Privacy. This claim would have required plaintiff to show (1) public disclosure (2) of private facts (3) which would be offensive and objectionable to the reasonable person and (4) which is not of legitimate public concern. The court found there was no public disclosure, only Path’s storage of data on its servers.

Conversion. Under California law, to be successful on a claim of conversion, plaintiff would have had to plead and prove “ownership or right to possession of property, wrongful disposition of the property right and damages.” The court dismissed this claim because plaintiff pled only that Path copied the data, not dispossessing him of it. (As an aside, it’s this very point that underscores my common admonition to copyright maximalists that infringement is not “theft,” because theft involves dispossession. End of digression.)

Trespass. The California common law action of trespass in the computer context requires a plaintiff to show that (1) defendant intentionally and without authorization interfered with plaintiff’s possessory interest in a computer system; and (2) defendant’s unauthorized use proximately resulted in damage to plaintiff. The tort “does not encompass … an electronic communication that neither damages the recipient computer system nor impairs its functioning.” Intel v. Hamidi, 30 Cal.4th 1342 (Cal. 2003). In this case, plaintiff did not allege that the functioning of his mobile device was significantly impaired to the degree that would enable him to plead the elements of a trespass. The court found that any depletion of his mobile device’s finite resources was a de minimis injury. (See the standing analysis above.)

The Remaining Claims

The claims for violations of the California Computer Crime Law, Californa’s Unfair Competition Law (Section 17200), negligence and unjust enrichment remain in the case.

California Computer Crime Law. Based on the limited briefing, the court could not conclude as a matter of law whether Path’s alleged conduct fell outside this statute. The question remains whether providing the app which plaintiff voluntarily downloaded and installed on his iPhone provided undisclosed software code that surreptitiously transferred plaintiff’s data.

Californa’s Unfair Competition Law. This statute prohibits “any unlawful, unfair or fraudulent business act or practice.” The court found that the conduct alleged in the complaint, if true, constituted an unlawful or unfair act or practice within the meaning of the statute. It found that plaintiff had failed to allege any fraudulent practice, but since plaintiff met the first two prongs (unlawfulness and unfairness), the claim survived.

Negligence. Plaintiff alleged that Path owed a duty to plaintiff to protect his personal information and data property and take reasonable steps to protect him from the wrongful taking of such information and the wrongful invasion of privacy. Path allegedly breached this duty by, among other things, accessing and uploading data from plaintiff’s phone, storing that data in an unsecure manner, and transmitting the data to third parties. Path relied on In re iPhone Application Litigation to argue it had no duty to plaintiff. In that decision, Judge Koh held that plaintiffs had not yet adequately pled or identified a legal duty on the part of Apple to protect users’ personal information from third-party app developers. This case was different because Path was a third party developer. Despite the existence of a duty, plaintiff’s claims of damages (here’s the $12,500 repair bill issue again) will likely face substantial challenges as the case progresses.

Unjust Enrichment. Path argued that unjust enrichment was not a cause of action under California law. The court cited to cases suggesting that California law does indeed recognize such a claim and kept in in this case.

Photo credit Flickr user stormwarning under this Creative Commons license.

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

Court dismisses class action against MySpace for violation of the Stored Communications Act

Hubbard v. MySpace, 2011 WL 2149456 (S.D.N.Y. June 1, 2011)

Plaintiff, who sued on behalf himself and others similarly situated, claimed that MySpace improperly turned over account information and private messages to law enforcement, even though there was a search warrant. Plaintiff claimed this violated the Stored Communications Act, 18 USC 2701 et seq.

MySpace moved to dismiss. The court granted the motion.

The version of the Stored Communications Act in effect at the time of the alleged wrongful disclosure in this case provided that a search warrant seeking the information must issue from a federal court “with jurisdiction over the offense under investigation,” or be “an equivalent State warrant.”

Plaintiff argued that the warrant sent to MySpace was not sufficient under the SCA (and should have been ignored) because (1) the state magistrate did not have jurisdiction to hear the felony that the cops were investigating plaintiff for, and (2) the magistrate did not have the power to issue search warrants across state lines.

The court rejected both of these arguments. In determining the warrant to be “an equivalent State warrant,” it looked to the way federal magistrates issue warrants in SCA cases. It held that the phrase “jurisdiction over the offense under investigation” refers to the power to issue warrants, not to the power to ultimately try the case. And the court looked to the legislative history around the Patriot Act amendments to conclude that SCA investigations give magistrate judges special powers to direct search warrants across state lines, because having to require cooperation with the courts in which an ISP actually exists might allow enough time for a terrorist to get away or strike again.

This case is worth noting for the wide scope the court establishes for valid search warrants under the SCA. It is also worth noting that the SCA has since been amended to make the scope more clearly this broad. 

Federal court applies Seescandy.com test to unmask anonymous defendants in copyright and privacy case

Liberty Media Holdings, LLC. v. Does 1-59, 2011 WL 292128 (S.D. Cal., January 25, 2011)

Plaintiff porn company sued 59 anonymous defendants it knew only by IP address for violation of the Stored Communications Act (SCA), the Computer Fraud and Abuse Act (CFAA) and for copyright infringement. Since plaintiff did not know who the defendants were, it had to jump through a few hoops to find out their names.

The court rewarded such hoop-jumping by ordering that the defendants’ identities be turned over.

Hoop #1 – The Cable Communications Policy Act of 1984

A subpoena to the defendants’ internet service providers would reveal the needed information. But these ISPs, being governed by the Cable Communications Policy Act of 1984, could not turn over their subscribers’ information without a court order. (See 47 USC 515(c)(2)(B))

Hoop #2 – Discovery prior to the Rule 26(f) conference

What’s more, a plaintiff cannot start conducting discovery (and a subpoena is a discovery tool) until after it has had the initial conference with the defendant (the Rule 26(f) conference). But how can a plaintiff confer with a defendant it does not know? There is a bootstrapping problem here. The court has to step in and issue an order allowing the discovery be had.

Hoop #3 – Balancing injury versus right to anonymous speech

And getting that court order is a bit problematic and nuanced when one is dealing with anonymous defendants. The courts recognize the conflict between a need to provide injured plaintiffs with a forum in which they may seek redress for grievances, and the right of John Doe defendants to use the internet anonymously or pseudonymously when appropriate.

So judges apply a balancing test to weigh these interests. Different courts apply different tests. Some apply a very demanding standard, requiring plaintiffs to present enough facts to withstand a hypothetical motion for summary judgment. Other cases require a lesser burden be carried, looking merely to whether the complaint would survive a motion to dismiss. That’s the standard the court applied in this case.

The Seescandy.com standard

It looked to the 1999 case of Columbia Ins. Co. v. Seescandy.com, 185 F.R.D. 573, 577 (N.D.Cal.1999) which articulated the following test:

  • First, the plaintiff should identify the missing party with sufficient specificity such that the Court can determine that (the) defendant is a real person or entity that could be sued in federal court …
  • Second, the (plaintiff) should identify all previous steps taken to locate the elusive defendant …
  • Third, Plaintiff should establish to the Court’s satisfaction that plaintiff’s suit against (the) defendant could withstand a motion to dismiss … Plaintiff must make some showing that an act giving rise to civil liability actually occurred and that the discovery is aimed at revealing specific identifying features of the person or entity who committed the act.

In this case, the court found that each of these criteria had been met across the board.

It found that plaintiff had identified the defendants as best it could. Plaintiff provided the court with the unique IP addresses assigned to each defendant and the ISP that provided each defendant with internet access. Further, the requested discovery was necessary for plaintiff to determine the names and addresses of each defendant who performed the allegedly illegal and infringing acts.

The only information plaintiff had regarding the defendants was their IP addresses and their ISPs. Therefore, there were no other measures plaintiff could have taken to identify the defendants other than to obtain their identifying information from their ISPs.

And the court found the allegations supporting each of the claims were sufficient to survive a motion to dismiss.

As to the SCA, the complaint alleged that defendants intentionally accessed plaintiff’s web servers, which are facilities where electronic communication services are provided, defendants had no right to access the copyrighted materials on plaintiff’s website, and defendants obtained access to these electronic communications while these communications were in electronic storage.

On the CFAA claim, the complaint alleged that defendants unlawfully and without authorization entered into plaintiff’s computer server, which was used in interstate commerce, where plaintiff’s copyrighted materials were contained, stole plaintiff’s copyrighted materials, valued in excess of $15,000, and as a result of such conduct, caused plaintiff to suffer damage. Based on these facts, 18 USC 1030(g) authorized plaintiff’s civil action.

And as for copyright infringement, plaintiff alleged that it is the owner of the copyrights for certain motion pictures, which were accessed, reproduced, distributed and publicly displayed by defendants. Also, plaintiff alleged that defendants, without authorization, intentionally accessed, reproduced and distributed plaintiff’s copyrighted works onto their local hard drives or other storage devices.

Emails on laptop not protected by the Stored Communications Act

Thompson v. Ross, 2010 WL 3896533 (W.D. Pa. September 30, 2010)

Messages from Yahoo and AOL email accounts saved on laptop computer were not in “electronic storage” as defined by Stored Communications Act.

Plaintiff’s ex-girlfriend kept his laptop computer after the two of them broke up. The ex-girlfriend let two of her co-workers access some email messages stored on the computer. Plaintiff filed suit under the Stored Communications Act. Defendants moved to dismiss. The court granted the motion.

Under the Stored Communications Act (at 18 U.S.C. 2701), one is liable if he or she accesses without authorization a facility through which an electronic communication service is provided and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.

The court held that the Stored Communications Act did not cover the email messages because they were not in “electronic storage” as defined at 18 U.S.C. 2510(17)(B). In relevant part, that section defines “electronic storage” as “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”

The court looked to the plain language of the statute, finding that the definition was not met because the messages were not stored by an electronic communication service. It rejected plaintiff’s arguments that the fact the messages were in “backup storage” extended the scope of the definition.

Enhanced by Zemanta
Scroll to top