September 25, 2015

Can accessing a competitor’s website constitute a (costly) violation of the Federal Stored Communications Act?

Posted in Commercial Litigation, Corporate Litigation by Gene Killian |

Having been involved in insurance claims, litigation, and trial work for 30 years, I can tell you that when the words “increasingly contentious” appear in a judicial opinion to describe the relationship between the parties, it’s almost never a good thing. (Actually, I take that back. It’s usually good for the lawyers, but not so great for the clients.)

I’ve also been through enough business breakups to know that they can become as bitter as divorces. We had one in the office awhile back where one partner accused the other of sexual harassment, and the accused partner responded by threatening criminal prosecution for theft of corporate funds. When things escalate like that, nobody really wins.

This background explains why I was interested in a recent decision from a federal court in Ohio, Cobra Pipeline v. Gas Natural Inc., involving an apparently nasty business breakup, followed by accusations of violations of federal confidentiality laws.  What lessons can we learn from the case? 

Basically, two companies, Cobra Pipeline and Gas Natural, had a business relationship. During the relationship, Cobra gave certain Gas Natural employees the login information for Cobra’s truck fleet tracking website, called SageQuest.  After the relationship ended (unhappily), the Gas Natural employees continued to access the restricted website.  The Gas Natural people explained this by saying they needed to protect themselves from the “increasingly erratic conduct” of Cobra’s principal, who had once worked for Gas Natural. (Not sure whether that means he was trying to run them over with 18-wheelers.)

Cobra, not happy about the unauthorized access, filed suit under the federal Stored Communications Act [18 U.S.C. 121 §§ 2701–2712] and the federal Wiretap Act. [18 U.S.C. §2511].

The SCA makes it illegal to “intentionally access…without authorization a facility through which an electronic communication service is provided…and thereby obtain…a wire or electronic communication while it is in electronic storage.” 

Question: What’s “electronic storage?” Doesn’t information stored on a website qualify? (This sounds like a law school exam.)

No, said the Court. The SageQuest system basically functions like an electronic bulletin board. According to the Court: “The data is not being sent to a particular person, and the data is not being  accessed during the transmission to any user. Any user – whether authorized or not – is reviewing Sage Quest’s fleet data after it has reached its final destination. Thus, the information accessed not cannot have been in storage [as defined by the statute].”

The SCA also prohibits unauthorized access to information in “storage... for purposes of backup protection of such communication.” According to the Court, no “backup” information had been tapped. The Court wrote: “Consider, for example, if the truck fleet data were kept in a paper form. The website is similar to a copy available to authorized users in the Sage Quest lobby. A backup copy is similar to a secondary copy in a safety deposit box at another location. Reading the lobby paper copy is not equivalent to reading the separate location’s backup copy. In turn, accessing the Sage Quest website is not equivalent to accessing the fleet data while it is in storage ‘for purposes of backup protection.’”

The Wiretap Act seems like a weird fit for a case involving unauthorized access to a website.  I guess I’ve seen too many cop movies; when I think of “wiretaps,” I think of coffee-breathed, rumpled detectives sitting in a van at the edge of the street with monitoring equipment. But the Wiretap Act [18 U.S.C. §2511] is actually drafted fairly broadly, and creates a cause of action against any person who “intentionally intercepts, endeavors to intercept, or induces any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” Here, the Court noted that Federal Circuits have held consistently that accessing a communication does not violate the Wired Act unless the access is “contemporaneous” with a transmission to an intended recipient. (I don’t see that in the statute, but I don’t wear a black robe, either.)

The Court dismissed the Wiretap Act claim, writing: “Plaintiff cannot show as a matter of law that the Defendants’ use of the SageQuest logon constituted ‘interception.’ Interception requires a transmission of communication between two points, with some interruption during or contemporaneous with that transmission.… When [Gas Natural employees] accessed Sage Quest, they were accessing the information at the expected end-point of the transmission. [There is] no evidence which could establish that any communications were ‘intercepted.’”

Many times, statutes dealing with unauthorized access to information were enacted years ago, before our current cyber-world evolved. In an effort to make such statutes apply to the current business environment, lawyers are often trying to pound square pegs into round holes. That won’t prevent smart lawyers from trying, though. This case emphasizes two things for me. First, although we generally discuss insurance issues on our separate insurance blog, it’s not a bad idea for companies of all sizes to consider very seriously purchasing cyber-liability insurance. For one thing, simply filling out the application will demonstrate to you where the need exists for better controls in your organization. Second, I’m puzzled by why the Gas Natural people were still able to access the website after the business relationship broke up.  As a matter of good practice, access should have been shut down immediately.