stored communications act – Page 2

August 18, 2010 Computer Crime, Privacy

Computer Fraud and Abuse Act, the Stored Communications Act, and unauthorized access

Monson v. The Whitby School, Inc., No. 09-1096, 2010 WL 3023873 (D.Conn. August 2, 2010)

Plaintiff Monson sued her former employer (a private school) for sex discrimination and related claims. The school filed counterclaims against Monson for, among other things, violation of (1) the Computer Fraud and Abuse Act (CFAA) and (2) the Stored Communications Act (SCA).

The counterclaims were based on allegations that Monson gained unauthorized access to the school’s email server to unlawfully view and delete email messages contained in the email accounts of other school employees. Upon learning of her impending termination, the school alleged, Monson used this unauthorized access to delete more than 1,500 email messages. Further, the school alleged that after Monson was terminated, she intentionally deleted data and software programs that resided on her school-issued computers before she returned them to the school.

Monson moved to dismiss the counterclaims. The court denied the motion.

CFAA claim

Monson argued that the school had not adequately pled that her actions — accessing and deleting data and software — were unauthorized. The court rejected this argument, finding that while it may be implausible (a la Twombly and Iqbal) that Monson wasn’t authorized to access her own email account, there was no reason to find it implausible she was not authorized to access the email accounts of others.

SCA claim

The court dismissed the SCA claim for essentially the same reason. Monson had argued that the school’s “formulaic” statement that she had accessed the stored electronic communications were not pled with enough detail to state a claim. The court found that the allegations were sufficient.

Photo courtesy of Flickr user croncast under this Creative Commons license.

June 15, 2010 Computer Crime, Privacy

Access to private email server supports Stored Communications Act claims

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.

June 23, 2008 Privacy

Employee text messages covered under Stored Communications Act and Fourth Amendment

Quon v. Arch Wireless Operating Co., Inc., — F.3d —-, 2008 WL 2440559 (9th Cir. June 18, 2008)

Sergeant Quon’s employer, the City of Ontario, California Police Department, issued him a pager with which he could send and receive text messages. Copies of text messages sent and received using the pager were archived on Arch Wireless’s computer server. The City’s agreement with Arch Wireless allowed for each user to send up to 25,000 characters’ worth of messages a month.

The police department required any employee who went over that monthly limit to pay the overage charges. Quon went over that limit several times and paid the extra fees. After awhile, the department started to investigate Quon, ostensibly to see whether the department should seek to raise the 25,000 monthly character limit. Quon’s supervisor had told him that the department would not review the contents of the messages if he continued to pay for the overages.

But the department acquired transcripts of the messages anyway. Quon sued, alleging violations of the Stored Communications Act, 18 U.S.C. §§2701-2711 (SCA) and the Fourth Amendment.

The district court awarded summary judgment to the defendants on the SCA claim, finding that Arch Wireless was a “remote computing service” as defined by the SCA, and thus it was appropriate for Arch Wireless to turn over the contents of the messages to the police department as a “subscriber” to the service.

On the defendants’ summary judgment motion on the Fourth Amendment claim, the district court determined that Quon had a reasonable expectation of privacy, but that the question of whether the search of the contents of the messages by the police chief was reasonable should be heard by a jury. That jury found that the search was reasonable because it was to determine the efficacy of the 25,000 character limit (i.e., to determine whether work-related reasons warranted upgrading).

Quon sought review of both the SCA and Fourth Amendment issues with the Ninth Circuit. On appeal, the court reversed the lower court’s holding that the SCA was not violated. As for the Fourth Amendment claim, the appellate court held that the search by the police chief was unreasonable as a matter of law, and that the question should not have even made it to the jury.

On the SCA claim, the court looked to the plain meaning of the statute as well as the legislative history from 1986 to conclude that the lower court’s determination that Arch Wireless was a remote computer service was erroneous. Arch Wireless did not provide “computer storage” nor “processing services.” Although Arch Wireless was storing the messages after transmission, the court held that that function was contemplated as one for an electronic communications service as well, which was more in line with the services Arch Wireless provided. So when Arch Wireless turned over the contents of the messages to the police department, which was merely a subscriber and not “an addressee or intended recipient of such communication[s],” it violated the SCA.

On the Fourth Amendment question, the court concluded that the search was unreasonable as a matter of law because it was unreasonable in its scope. Assuming that the only reason the police chief wanted to check the efficacy of the 25,000 character limit, there would have been less intrusive ways of doing so. Quon could have been asked to count the characters himself, or could have redacted personal messages in connection with an audit.