Views

Accessing personal email via company mobile phone may violate Stored Communications Act

In Levin v. ImpactOffice LLC, the federal court in Maryland ruled that a former employee’s claim survived a motion to dismiss where she alleged that her former employer violated the Stored Communications Act (“SCA”) when it accessed personal emails in her Google Gmail account after she surrendered her company-issued mobile phone.

This case offers an important reminder to employers to think twice before accessing an employee’s personal email account – even if it’s through a company-owned device.

The Facts

Melissa Edwards was a former marketing representative for an affiliate of Impact, who resigned her employment in May of 2016.

During the course of her employment, she purchased a personal mobile phone through Impact and paid the entire cost of the phone through payroll deductions. However, after her resignation, Impact demanded that she return the phone, and she did so.

elderly-swipe-fotolia.jpg
Close up of a wrinkled finger touching a mobilephone

Importantly, Edwards deleted all emails that were stored on the phone – including personal emails – before she sent the phone to Impact. After Impact received the phone, however, because the local copies of the emails had been deleted, it used the phone to access Edwards’ personal email accounts, which thereby allowed it to see emails that were stored on the servers of her personal email providers.

Impact took the further step of deleting evidence that it had forwarded Edwards’ emails from her account to Impact’s legal counsel.

The Stored Communications Act

The SCA is violated when a person “intentionally accesses without authorization a facility through which an electronic communication service is provided” and “thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. 2701(a).

The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. 2510(17).

The Court’s Analysis

Impact argued that Edwards did not sufficiently allege a violation of the SCA because she failed to allege that the emails were unopened – and therefore in “electronic storage” – at the time Impact accessed them.

Impact took the position that opened emails cannot be in electronic storage under the SCA’s definitions of that term. Edwards disagreed. Considering both definitions of “electronic storage” under the SCA, the court concluded that Edwards did not need to specifically allege that her emails were unopened in order to state a claim under the SCA.

The first definition of electronic storage – “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof” – is generally understood by the courts to cover email messages that are stored on a server before they have been delivered to, or retrieved by, the recipient. In other words, these are emails that are sitting on a server and waiting to be read for the first time.

Notwithstanding that interpretation of the first definition, the court found that a plaintiff does not have to specifically allege that emails at issue were unopened. The court further noted that whether emails were opened or unopened at the time they were access is a fact-intensive question. Because there was no evidence that Edwards had previously opened the emails in question, the court presumed – viewing Edwards’ allegations in the light most favorable to her as it must do at the motion to dismiss stage – that the emails were unopened at the time Impact accessed them. Therefore, at least some of the emails were presumed by the court to have been in “temporary, intermediate storage.”

The second definition of electronic storage – “storage … for purposes of backup protection of such communication” – has been deemed to include messages left on a server after delivery to provide a second copy of the message in the event the user needs to download it again (such as if the message was accidentally deleted locally). In other words, there is a distinction between an email system where emails are downloaded to an electronic device for local access, with a copy kept on the server for backup purposes, versus an email system where the internet service provider’s server is the only place emails are stored, in which case the email would not be stored “for purposes of backup protection.”

The court opined that because Edwards alleged that she physically deleted emails from her phone before surrendering the phone, and because those emails were later accessed by Impact, her emails could be deemed to have been stored on the server “for purposes of backup protection.” Thus, Edwards sufficiently alleged a violation of the SCA under the second definition of electronic storage.

While the court denied Impact’s motion to dismiss Edwards’ SCA claim, permitting the SCA claim to survive, it noted that in order to prevail on her claim, Edwards will be required to prove that the allegedly accessed emails were either unopened and in temporary storage, or that they were stored for purposes of backup protection.

Employers Beware

Employers can and should derive a few important lessons from this case to avoid a potentially costly situation. Chief among them is to think twice when tempted to access your employees’ or former employees’ personal email account – even on a company-issued phone.

In a similar case, Lazette v. Kulmatyci, the employee returned her company-owned Blackberry to her employer, but did not properly disconnect her Gmail account from it before doing so. Over the next 18 months, her supervisor read 48,000 emails sent to that account, some of which were quite personal. The court in that case found that email stored in webmail accounts (like Gmail) is protected by the SCA.

In Lazette, the court rejected the employer’s argument that the employer was accessing only the company-owned device, recognizing that he was actually using that device to access the employee’s Gmail account. The court also rejected the employer’s argument that the employee had impliedly consented to the employer’s review of her Gmail by not properly disconnecting the account.

The SCA presents a number of potential pitfalls, some of which are not readily apparent even to technologically sophisticated employers. The SCA was written prior to the advent of modern electronic devices and email, and courts are working hard to interpret the Act consistent with this ever-changing technology. While employers have every right to search information stored on their own devices, they should first seek counsel before accessing or reviewing an employee’s personal email accounts.

This article originally appeared on the Mintz Levin website. The information in this legal alert is for educational purposes only and should not be taken as specific legal advice.

For reprint and licensing requests for this article, click here.
Benefit compliance Compliance reviews Employee engagement
MORE FROM EMPLOYEE BENEFIT NEWS