A departing employee who turns in her office BlackBerry incautiously allowed her former boss access to 48,000 (!) private g-mails messages. Are the boss and employer possibly liable for violations of the federal Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., by opening and reading some of those messages? A district court in Ohio holds in favor of the employee, denying a motion to dismiss her complaint on this count.
According to the plaintiff's complaint, summarized in the opinion:
"[Defendant] Verizon provided the blackberry for plaintiff's use. She was told that she could use the company-issued phone for personal e-mail. She had an account with g-mail, though she believed she had deleted that account from the phone before giving it to [former boss] Kulmatycki in September, 2010. She understood that Verizon would "recycle" the phone for use by another employee."
Evidently, Kulmatycki continued to use the device for 18 months to access Lazette's personal emails, including "communications about plaintiff's family, career, financials, health, and other personal matters." Upon discovering the breach, the employee changed her password, then filed this suit alleging violations of state and federal law.
Section 2701 of the SCA states that it is a violation when a person "intentionally accesses without authorization" a "facility" that stores electronic communications, or "intentionally exceeds an authorization to access that facility," and then obtains "access to a wire or electronic communication while it is in electronic storage." Anyone who uses a password without authorization to obtain data from a server or on-line service potentially falls within this prohibition.
The district court denies a motion to dismiss the SCA count. The court rejects each of the employer's arguments for limiting the scope of the SCA.
"• The relief plaintiff seeks is not available because the legislative history shows that Congress aimed the SCA at 'high-tech' criminals, such as computer hackers": The district court holds that SCA expressly covers any unauthorized access, not limited to a particular class of hackers.
"• Kulmatycki had authority to access plaintiff's e-mails": This tends to be a common misunderstanding by employers - our equipment, our rules. The district court makes short work of it. It distinguishes cases where multiple individuals had common access to the same equipment (such as family members sharing a common PC), where here, the employee had turned over the BlackBerry and was no longer able to use it. Moreover, it was not the plaintiff's burden to plead or prove a misuse of a password. "While password misuse did not occur here, it does not matter. I find nothing in the statute or anywhere else that suggests-just as with defendants' claim that only hackers are liable-use of a password somehow is an element which a SCA plaintiff must prove."
The employer's suggestion that the plaintiff granted implicit consent to search her private emails by using and returning the company BlackBerry, negligently failing to wipe the Gmail access off the device, is also found to be ill-considered. "To be sure, consent under this provision need not be explicit, it can, as defendants allege, also be implied. . . . Negligence is, however, not the same as approval, much less authorization. There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone be stopping by."
"• Kulmatycki's access did not occur via 'a facility through which an electronic communication service is provided' other than the company owned blackberry": Wrong. The BlackBerry device is not a SCA "facility," but merely a handheld portal into remote servers, including the server the held Lazette's mail. It was the unauthorized access in that server that potentially violated the plaintiff's rights. "[T]he better, more sensible, and harmonious reading of the SCA is that a personal computer, and, ergo, a blackberry or cell phone, is not a 'facility' within § 2701(a)(1)."
"• The e-mails were not in electronic storage when Kulmatycki read them": This argument, the court holds, has some weight and requires distinguishing two categories of e-mails. The statute prevents interception of either (1) communications in "temporary, intermediate storage . . . incidental to the electronic transmission"; or (2) in storage "by an electronic communication service for purposes of backup protection of such communication." Thus, e-mails that the employee had opened but not deleted - that remained, here, on Google's servers after delivery - the court holds are not "stored" within the meaning of the SCA. That is, they are not "stored" for the specific purpose of preserving them as backup. On the other hand, e-mails not yet opened by the intended recipient do fall into the first protected category. If Kulmatycki opened one or more up, there was potentially a violation of the SCA.
"• Verizon may be exempt from the SCA under § 2701(c)(1), which states that the person or entity providing an electronic communications service is exempt from the Act, because the complaint does not make clear that plaintiff's g-mail account was separate from her company account": The district court holds that although Verizon may raise that defense at a later time, it was no ground to dismiss the complaint. Although Verizon might be a statutory "provider," it was premature to decide that at the complaint stage: "[D]efendants look outside the four corners of plaintiff's complaint for assistance. All that plaintiff had to assert was that she had a g-mail account and Kulmatycki accessed her emails without authorization. She has done so."
The court also dismisses a related claim for violation of federal wiretapping laws (Title III), but allows two state law claims (a privacy tort and a statutory claim for injuries due to criminal misconduct) to continue.