Can a company snoop on its employee’s personal email account?

email snoop

Plaintiff was an administrative assistant at defendant company. When her supervisor got word that plaintiff had been asked to join a competing company started by some other former company employees, the supervisor allegedly logged onto plaintiff’s work computer and without authorization accessed plaintiff’s Gmail account to get more information confirming plaintiff’s plans. Plaintiff was later terminated.

So she sued under the federal Stored Communications Act (“SCA”) and the Federal Wiretap Act (under a part of that act often called the Electronic Communications Privacy Act (“ECPA”)). Defendant moved to dismiss both the claims. The court denied the motion to dismiss the SCA claim but dismissed the ECPA claim.

The SCA prohibits, among other things, the intentional unauthorized access of a “facility through which an electronic communication service is provided”—thereby obtaining access to an electronic communication while in electronic storage. 18 U.S.C. § 2701(a). A court may award actual damages, statutory damages, and punitive damages for violation of the SCA. If a plaintiff seeks statutory damages under the SCA, it must prove actual damages. But one need not prove actual damages to recover punitive damages. The ECPA prohibits, among other things, the “interception” of electronic communication. 18 U.S.C. § 2511(a). Courts have generally held that such “interception” must be contemporaneous with transmission.

The court held plaintiff could move forward with her SCA claim even though she had not pled actual damages. She had sufficiently pled that she should be awarded punitive damages. And the court tossed the ECPA claim because the facts as alleged showed that the email messages the employer allegedly accessed had already been delivered and therefore were not intercepted as the statute requires for liability.

Benz v. PHB Realty Co., 2022 WL 3098579 (D. Kansas, August 4, 2022)

See also:

Court allows class action plaintiffs to set up social media accounts to draw in other plaintiffs

Some former interns sued Gawker media under the Fair Labor Standards Act. The court ordered the parties to meet and confer about the content and dissemination of the proposed notice to other potential class members. Plaintiffs suggested, among other things, that they establish social media accounts (Facebook, Twitter, LinkedIn) titled “Gawker Intern Lawsuit” or “Gawker Class Action”. Gawker objected.

The court permitted the establishment of the social media accounts. It rejected Gawker’s argument that the lack of evidence that any former intern used social media would make the notice ineffective. The court found it “unrealistic” that the former interns did not maintain social media accounts.

Gawker also argued that social media to give notice would take control of the dissemination out of the court’s hands. Since users could comment on the posted content, Gawker argued, the court would be “deprived” of its ability to oversee the message. The court likewise rejected this argument, holding that its “role [was] to ensure the fairness and accuracy of the parties’ communications with potential plaintiffs – not to be the arbiter of all discussions not involving the parties that may take place thereafter.”

Mark v. Gawker Media LLC, No. 13-4347, 2014 WL 5557489 (S.D.N.Y. November 3, 2014)

Using new employer’s credentials to copy former employer’s technology did not violate Computer Fraud and Abuse Act

This case arose from some rather complex but interesting facts:

8e19fbd8a556c7b63610c1cfd7782f10Defendant resigned from his job with an IT consulting firm. One of the firm’s customers hired defendant as an employee. Before the customer/new employer terminated the agreement with the IT consulting firm/former employer, defendant used the customer/new employer’s credentials to access and copy some scripts from the system. (Having the new employee and the scripts eliminated the need to have the consulting firm retained.) The firm/former employer sued under the Computer Fraud and Abuse Act. Defendants (the customer and its new employee) moved to dismiss for failure to state a claim. The court granted the motion.

It held that the complaint failed to allege “unauthorized access” within the Ninth Circuit’s interpretation of the CFAA.

The court looked to the Ninth Circuit’s holding in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), which provides that to access a protected computer “without authorization” is to do so “without any permission at all,” and that to “exceed authorized access” is to “access information on the computer that the person is not entitled to access.” And it looked to the more recent case of U.S. v. Nosal, 676 F.3d 854, 863 (9th Cir. 2012), which teaches that an individual does not “exceed authorized access” simply by misusing information that he or she was entitled to view for some other purpose. Under Nosal, the CFAA regulates access to data, not its use by those entitled to access it.

In this case, the court found that the complaint did not allege that defendants were unauthorized to access the scripts in question. In fact, the Statement of Work that the court reviewed specifically granted defendant’s employer and its representatives (including defendant) “sudo access” to “non-shell root commands” that included the scripts at issue.

Plaintiff argued that the access was unauthorized because it had repeatedly refused to grant defendant or his employer the authority to write or edit those scripts. But the court found that argument to address the misuse of the scripts, not unauthorized access. Under Nosal this conduct did not run afoul of the CFAA. So because the complaint failed to allege that defendant and his new employer had no access rights to the scripts, and because the documents upon which plaintiff relied revealed that defendants had certain access rights, the court dismissed the CFAA claim.

Enki Corporation v. Freedman, 2014 WL 261798 (N.D.Cal. January 23, 2014)

Facebook activity did not support claim that employee solicited former employer’s clients

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Need assistance? Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases.

Invidia, LLC v. DiFonzo, 2012 WL 5576406 (Mass.Super. October 22, 2012)

Defendant hairstylist signed an employment agreement with plaintiff that restricted her from soliciting any of plaintiff’s clients or customers for 2 years. Four days after she quit plaintiff’s salon, her new employer announced on Facebook that defendant had come on board as a stylist. One of defendant’s former clients left a comment to that post about looking forward to an upcoming appointment.

stylist

Either before or after she left plaintiff’s employ (the opinion is not clear about this), defendant had become Facebook friends with at least 8 of the customers she served while working for plaintiff.

Plaintiff sued for breach of contract and sought a preliminary injunction. The court denied the motion, in part because plaintiff failed to show evidence that defendant had violated the nonsolicitation provision.

The court found that it did not constitute solicitation of plaintiff’s customers to post a notice on Facebook that defendant was beginning work at a new salon. The court said it would have viewed it differently had plaintiff contacted a client to tell her that she was moving to a new salon, but there was no evidence of any such contact.

As for having clients as Facebook friends, the court noted that:

[O]ne can be Facebook friends with others without soliciting those friends to change hair salons, and [plaintiff] has presented no evidence of any communications, through Facebook or otherwise, in which [defendant] has suggested to these Facebook friends that they should take their business to her chair at [her new employer].

See also, TEKsystems, Inc. v. Hammernick.

Photo courtesy Flickr user planetc1 under this Creative Commons license

No Computer Fraud and Abuse Act violation for taking over former employee’s LinkedIn account

Eagle v. Morgan, 2012 WL 4739436 (E.D.Pa. October 4, 2012)

After plaintiff was fired as an executive, her former employer (using the password known by another employee) took over plaintiff’s LinkedIn account. It kept all of plaintiff’s contacts and recommendations but switched out plaintiff’s name and photo with those of the new CEO.

LinkedIn identity writ large

Plaintiff sued in federal court under the Computer Fraud and Abuse Act, the Lanham Act, and a slew of state law claims including identity theft, conversion and tortious interference. The former employer moved for summary judgment on the CFAA and Lanham Act claims. The court granted the motion, but continued to exercise supplemental jurisdiction over the state law claims.

On the CFAA claim, the court found that plaintiff failed to show how the taking over over her account gave rise to a cognizable loss under the CFAA. The kinds of losses she tried to prove, e.g., lost future business opportunities and professional reputation, did not pertain to any impairment or damage to a computer or computer system. Moreover, the court found, plaintiff failed to specify or quantify the damages she alleged.

As for the Lanham Act claim, the court found that there was no likelihood of confusion. It noted that “anyone who navigated to [plaintiff’s] LinkedIn account would be met with [the new CEO’s] name, photograph and new position.” Accordingly, there was no effort to “pass off” the new CEO as plaintiff or to otherwise suggest an endorsement or affiliation.

Though it dismissed all the federal claims, the court kept the pending state law claims. The matter had been before the court for over a year, the judge was familiar with the facts and the parties, and dismissing it so soon before trial would not have been fair.

Other coverage by Venkat.

Photo credit: Flickr user smi23le under this Creative Commons license.

Reading a non-friend’s comment on Facebook wall was not a privacy invasion

Sumien v. CareFlite, 2012 WL 2579525 (Tex.App. July 5, 2012)

Plaintiff, an emergency medical technician, got fired after he commented on his coworker’s Facebook status update. The coworker had complained in her post about belligerent patients and the use of restraints. Here is plaintiff’s comment:

Yeah like a boot to the head…. Seriously yeah restraints and actual HELP from [the police] instead of the norm.

After getting fired, plaintiff sued his former employer for, among other things, “intrusion upon seclusion” under Texas law. That tort requires a plaintiff to show (1) an intentional intrusion, physical or otherwise, upon another’s solitude, seclusion or private affairs that (2) would be highly offensive to a reasonable person.

The trial court threw out the case on summary judgment. Plaintiff sought review with the Court of Appeals of Texas. On appeal, the court affirmed the summary judgment award.

The court found plaintiff failed to provide any evidence his former employer “intruded” when it encountered the offending comment. Plaintiff had presented evidence that he misunderstood his co-worker’s Facebook settings, did not know who had access to his co-worker’s Facebook Wall, and did not know how his employer was able to view the comment. But none of these misunderstandings of the plaintiff transformed the former employer’s viewing of the comment into an intentional tort.

Read Professor Goldman’s post on this case.


Photo credit: Flickr user H.L.I.T. under this license.

Employer not allowed to search for porn on employee’s home computer

Former employee sued her old company for subjecting her to a sexually hostile workplace and for firing her after she reported it. She claimed that she had never looked at pornography before she saw some on the computers at work. During discovery in the lawsuit, the company requested that employee turn over her home computer so that the company’s “forensic computer examiner” could inspect them.

The trial court compelled employee to produce her computer so that the forensic examiner could look for pornography in her web browsing history and email attachments. The employee sought mandamus review with the court of appeals (i.e., she asked the appellate court to order the lower court not to require the production of the hardware). The appellate held that she was entitled to relief, and that she did not have to hand over her computer.

The appellate court found that the lower court failed to consider an appropriate protective order that would limit inspection to uncover specifically-sought information in a particular form of production. In this case, the company had merely asked for the hardware without informing employee of the exact nature of the information sought. And the company provided no information about the qualifications of its forensic examiner. Though the trial court tried to limit the scope of the inspection with carefully chosen wording, the appellate court found that was not sufficient to protect the employee from the risks associated with a highly intrusive search.

In re Jordan, — S.W.3d —, 2012 WL 1098275 (Texas App., April 3, 2012)

Teacher fired over Facebook post gets her job back

Court invokes notion of “contextual integrity” to evaluate social media user’s online behavior.

Rubino v. City of New York, 2012 WL 373101 (N.Y. Sup. February 1, 2012)

The day after a student drowned at the beach while on a field trip, a fifth grade teacher updated her Facebook status to say:

After today, I am thinking the beach sounds like a wonderful idea for my 5th graders! I HATE THEIR GUTS! They are the devils (sic) spawn!

Three days later, she regretted saying that enough to delete the post. But the school had already found out about it and fired her. After going through the administrative channels, the teacher went to court to challenge her termination.

The court agreed that getting fired was too stiff a penalty. It found that the termination was so disproportionate to the offense, in the light of all the circumstances, that it was “shocking to one’s sense of fairness.” The teacher had an unblemished record before this incident, and what’s more, she posted the content outside of school and after school hours. And there was no evidence it affected her ability to teach.

But the court said some things about the teacher’s use of social media that were even more interesting. It drew on a notion of what scholars have called “contextual integrity” to evaluate the teacher’s online behavior:

[E]ven though petitioner should have known that her postings could become public more easily than if she had uttered them during a telephone call or over dinner, given the illusion that Facebook postings reach only Facebook friends and the fleeting nature of social media, her expectation that only her friends, all of whom are adults, would see the postings is not only apparent, but reasonable.

So while the court found the teacher’s online comments to be “repulsive,” having her lose her job over them went too far.

Court requires fired social media employee to return usernames and passwords

Ardis Health, LLC v. Nankivell, 2011 WL 4965172 (S.D.N.Y. October 19, 2011)

Defendant was hired to be plaintiffs’ “video and social media producer,” with responsibilities that included maintaining social media pages in connection with the online marketing of plaintiffs’ products. After she was terminated, she refused to tell her former employers the usernames and passwords for various social media accounts. (The case doesn’t say which ones, but it’s probably safe to assume these were Facebook pages and maybe Twitter accounts.) So plaintiffs sued, and sought a preliminary injunction requiring defendant to return the login information. The court granted the motion for preliminary injunction.

The court found that plaintiffs had come forward with sufficient evidence to support a finding of irreparable harm if the login information was not returned prior to a final disposition in the case:

Plaintiffs depend heavily on their online presence to advertise their businesses, which requires the ability to continuously update their profiles and pages and react to online trends. The inability to do so unquestionably has a negative effect on plaintiffs’ reputation and ability to remain competitive, and the magnitude of that effect is difficult, if not impossible, to quantify in monetary terms. Such injury constitutes irreparable harm.

Defendant argued there would not be irreparable harm because the web content had not been updated in over two years. But the court rejected that argument, mainly because it would have been unfair to let the defendant benefit from her own failure to perform her job responsibilities:

Defendant was employed by plaintiffs for the entirety of that period, and she acknowledges that it was her responsibility to post content to those websites. Defendant cannot use her own failure to perform her duties as a defense.

Moreover, the court found that the plaintiffs would lose out by not being able to leverage new opportunities. For example, plaintiffs had recently hopped on the copy Groupon bandwagon by participating in “daily deal” promotions. The court noted that the success of those promotions depended heavily on tie-ins with social media. So in this way the unavailability of the social media login information also contributed to irreparable harm.

Employer did not violate employee’s privacy by accessing personal laptop

Sitton v. Print Direction, Inc., — S.E.2d —, 2011 WL 4469712 (Ga.App. September 28, 2011)

A Georgia court held that an employee using a personal laptop to conduct business for a competitor did not have an invasion of privacy claim when his employer busted him at work using the laptop to send email.

Plaintiff-employee worked for a printing company. His wife also owned a printing business. On the side, plaintiff would broker printing jobs, sending them to his wife’s company. He would bring his own laptop to work and use that to conduct business for his wife’s company while at work for his employer.

One day, the boss came into plaintiff’s office (apparently when plaintiff was not in the room) and saw that the computer screen on plaintiff’s computer showed a non-work related email account, with messages concerning the brokering of print jobs to the wife’s company. The boss printed out the email messages.

Plaintiff sued, claiming, among other things, common law invasion of privacy and violation of a provision of the Georgia Computer Systems Protection Act. The case went to trial, and plaintiff lost. In fact, he ended up having to pay almost $40,000 to his employer on counterclaims for breach of loyalty. Plaintiff sought review of the trial court’s decision. On appeal, the court affirmed.

The appellate court affirmed the trial court’s finding that the boss’s access to plaintiff’s computer did not constitute common law invasion of privacy based upon an intrusion upon plaintiff’s seclusion or solitude, or into his private affairs. The court held that the boss’s activity was “reasonable in light of the situation” because:

  • He was acting in order to obtain evidence in connection with an investigation of improper employee behavior,
  • The company’s interests were at stake, and
  • He had “every reason” to suspect that plaintiff was conducting a competing business on the side, as in fact he was.

To bolster this holding, the court cited from a Georgia Supreme Court case that said, “[T]here are some shocks, inconveniences and annoyances which members of society in the nature of things must absorb without the right of redress.”

Scroll to top