October 23, 2013

Employees’ right to privacy and the Stored Communications Act

Posted in Employment Law by Gene Killian |

How many times have you already been on the Internet today?  (Google has 700 million daily visitors.) It’s fairly amazing that the Internet only became widely commercially available around 1995, and that Facebook has only been around since 2004 (less than 10 years).  (I’m told that teenagers have now moved away from Facebook to other social media outlets because their parents are all on Facebook now, though.)

The Internet has obviously fundamentally transformed the way in which we do business, and has brought with it a new set of liabilities, and legal and insurance problems. As the law continues to develop regarding employee privacy, for example, one thing has become clear: There’s a difference between the employer owning a device, and the employer owning information accessed through that device. If the device is used as a portal to obtain access to an employee’s private emails or information (such as by tapping into private AOL or gmail accounts), a Court is likely to view the intrusion with disapproval. Here in New Jersey, for example, we had a case not long ago where an employee used a work computer to communicate with her lawyer through an AOL account. The Court held that even though the employer owned the computer, her private emails accessed through the computer remained privileged.

A recent Ohio federal case presents an interesting question: An employee resigning her position (Lazette) returns a company-owned computer device (in this case, a Blackberry) to her employer. A supervisor (Kulmatycki) then uses the device to access Lazette’s private email account (in this case, a gmail account). Kulmatycki reads 48,000 emails belonging to the employee. The employee finds out, is justifiably unhappy, and brings suit under, among other provisions, the federal Stored Communications Act,18 U.S.C. §2701 et seq.  Is Kulmatycki liable? How about the employer (Verizon)?

(The initial question I have about this case actually is along the lines of “get a life.” Who has time to read 48,000 personal emails? Equally significant, who has the time to write 48,000 personal emails?)

The SCA has been around since 1986, and is intended to afford privacy protection to electronic communications. The legislative history explicitly states that the SCA “addresses the growing problem of unauthorized persons deliberately gaining access to electronic or wire communications that are not intended to be available to the public.”

The Court first considered and rejected Verizon’s argument that, because the dispute involved a company-owned Blackberry, “snooping” was acceptable. Verizon argued that because Kulmatycki indisputably had authority to use the Blackberry on which others were sending emails to Lazette, he could use it to access those emails. The Court wrote: “The mere fact that Kulmatycki used a company-owned Blackberry to access plaintiff’s emails does not mean that he acted with authorization when he did so.”

The Court then considered the technical requirements of the SCA, which prohibits “intentionally accessing without authorization a facility through which an electronic communication service is provided.” (Emphasis mine.) Verizon argued that the Blackberry was a “facility”, and that Kulmatycki was an authorized user of the Blackberry.  The Court disagreed, ruling that cell phones, Blackberries, and personal computers do not constitute “facilities.”  “The relevant facilities that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic storage.”

The next question was whether Lazette had specifically authorized access to her gmail account. Verizon argued that she had done so when she returned the Blackberry “without having ensured that she had deleted her gmail account.” The Court held that negligence is not the same as approval, writing: “There is a difference between someone who fails to leave the door locked when going out and someone who leaves it open knowing someone will be stopping by.”

The Court then considered whether Lazette’s emails were in “electronic storage” when Kulmatycki accessed them, another SCA requirement.  Verizon argued that only emails awaiting opening by the intended recipient could be deemed to be in “electronic storage.” Here, the Court agreed in part, writing:  “Given the volume of emails which plaintiff alleges Kulmatycki opened, I believe that I can draw a fair and plausible inference that Kulmatycki opened some of those emails before plaintiff did, and thus, in doing so, violated [the SCA].” The Court granted a motion to dismiss only “to the extent that plaintiff seeks to recover for [Kulmatycki’s] opening of emails which she had opened before he did.”  Logic:  If she left them opened on the device, she didn’t intend for them to be private.

The last question, and perhaps the most critical one for employers, was whether Verizon would be vicariously liable for the actions of its employee, Kulmatycki.  While Verizon acknowledged that Kulmatycki’s actions were within the scope of his employment, the SCA contains a provision providing that an “electronic communication service” is exempt from the act. Verizon argued that the complaint was unclear as to whether Lazette’s gmail account was separate from the account Verizon provided for her work-related use.  According to Verizon, if the gmail account was separate, then Verizon was acting as an “electronic communication service” for Lazette (as opposed to merely an employer) and therefore exempt. The Court bounced this contention under both the SCA and common law, writing: “All that plaintiff had to assert was that she had a gmail account and Kulmatycki accessed her emails without authorization. She has done so.”  (In my experience, most judges tend to look for the “white hat” and the “black hat.” Hypertechnical arguments tend not to impress them, especially on a motion to dismiss.)

In the employment arena, the SCA will continue to be a concern. In a recent federal case here in New Jersey, for example, the Court specifically found that private Facebook pages are subject to the SCA. In that case, however, the employee’s suit failed because she had voluntarily “friended” her supervisor.

The important thing to keep in mind is that many supervisors have no idea what they’re doing when they access employees’ private data. They need to be trained on that issue, and advised that serious liabilities may result if data is accessed inappropriately. Finally, although we discuss insurance issues on our companion blog, any time a company is faced with a lawsuit for “invasion of privacy,” general liability coverage and EPLI should be carefully reviewed. There may be insurance for the suit.  

You can read the full decision in Lazette v. Kulmatycki by clicking here.     

-        Gene Killian