Supervisor snoops into former employee’s personal Gmail account after she returns company-issued BlackberryLazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio June 5, 2013)

Verizon BlackBerry Tour 9630The line between personal and business use of electronic devices is increasingly getting blurry, especially as more and more workers carry dual-use devices (devices designed for both work and personal use) like smartphones and tablets.   Businesses can benefit from the increases in productivity and morale resulting from this trend, but they also face new privacy concerns.  The recent case of Lazette v. Kulmatycki (N.D. Ohio June 5, 2013), highlights this risk.

Verizon issued a Blackberry smartphone to its employee, Sandi Lazette.  Lazette set up a personal Gmail account on the phone with Verizon’s permission.  Lazette returned the Blackberry to her supervisor when she stopped working for Verizon, understanding that the phone would be “recycled” for use by another Verizon employee.  Lazette thought she had deleted her personal Gmail account before returning the phone, but she had not.  Over the next eighteen months, Lazette’s supervisor read 48,000 emails in her Gmail account without her knowledge or authorization, and shared the contents of certain emails with others.

Lazette sued Verizon and her supervisor for claims including violation of the Stored Communications Act (SCA) and invasion of privacy.  A federal court ruled that Lazette’s supervisor was potentially liable under the SCA for reading personal emails that Lazette had not previously opened, and that Verizon could be vicariously liable for the supervisor’s actions.  The court also allowed Lazette’s privacy claim to move forward.

LegalTXTS Lesson: Lazette teaches important lessons about protecting the privacy of personal employee data on work devices, including dual-use devices.

1.  Don’t read your employees’ personal messages—even if they are readily accessible.  Management should treat an employee’s personal account as private, even if restrictions to accessing the count are minimal or non-existent.  A person does not need to hack into an account or otherwise circumvent access restrictions to electronic communications to be liable under the SCA.  Lazette’s Gmail account was accessible to her supervisor for no reason other than the fact that Lazette failed to delete her account from her Blackberry.  Yet, the court ruled that Lazette’s negligence did not give her former employer implied consent to read her private emails.  The simple act of opening an unread message in an employee’s personal email account was enough to create liability under the SCA.

2.  Construe grants of access narrowly.  If an employee allows a supervisor access to his or her personal email account for work purposes, that is not a grant of access to everything in the account.  In Cheng v. Romo (D. Mass. Nov. 28, 2012), an employee of a medical imaging company gave his supervisor the password to his Yahoo! email account.  Although the employee did not attach conditions to sharing the password, his unstated objective was to share radiologic images that were emailed directly to him.  Years later, the supervisor logged into the account to read emails about the status of the company.  In the lawsuit that followed, the court allowed the employee’s SCA and invasion of privacy claims to go to trial.  Cheng teaches that management should err on the side of preserving privacy if given access to an employee’s private online account for a specific work purpose or no stated reason at all.

3.  Thoroughly purge personal data from company-issued electronic devices before reusing them.  Companies commonly reuse electronic devices (e.g., desktop and laptop computers, cell phones, PDAs, tablets) for work purposes after it has been returned or repaired.    Employees can leave behind personal data on devices such as saved passwords, emails, web history, internet cookies, and the like.  Set and enforce policies requiring the purging of all such data from electronic devices before the devices are issued to another employee.

4.  Clarify employee expectations of privacy upfront if implementing mobile device management (MDM) tools.  One measure for mitigating the risk of security breaches relating to dual-use mobile devices is the use of MDM tools controls such as the ability to “remotely wipe” a device should it get lost or compromised.  MDM measures could raise privacy concerns if they result in alteration or destruction of personal data on a dual-use device.  To mitigate such concerns, a company should devise policies clarifying upfront the expectations to privacy that employees should to have if they choose to use a dual-use device at work.

Related articles

Enhanced by Zemanta

Proof of actual damages is not necessary to recover the minimum $1,000 in statutory damages under the Stored Communications ActShefts v. Petrakis, 2013 WL 1087695 (C.D. Ill. Mar. 14, 2013)

A person who brings a successful Stored Communications Act (SCA) claim can recover at least $1,000 without having to prove actual damages.  In Shefts v. Petrakis, the plaintiff (Shefts) sued his former employer for violating the SCA by illegally accessing his various messaging accounts, including a Yahoo! email account.  (See my post on an earlier decision in this case regarding after-the-fact authorization of access to emails.)  Shefts did not seek actual damages, but instead, statutory damages under the SCA.  The SCA states that “[t]he court may assess as damages . . . the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.”  18 U.S.C. § 2707(c).  The defendants argued that Shefts could not recover statutory damages without proving actual damages.  Shefts countered that he may recover statutory damages as an alternative to actual damages.

The trial court agreed with Shefts.  Finding no Supreme Court precedent on point, the court looked at the plain language of the damages statute, legislative history, and other district court decisions.  The court found that the plain language of the statute entitled a successful plaintiff to obtain minimum recovery of $1,000 in statutory damages.  The legislative history also evidenced the intent of Congress to allow recovery of at least $1,000.  Also persuasive to the court were other district court decisions finding that the SCA does not require actual damages as a condition to recovery.  The court’s ruling meant that, assuming Shefts could establish liability under the SCA, his failure to seek actual damages would not preclude him from recovering statutory damages.

Sharing a link to unauthorized video capture of proprietary information is not a violation of Stored Communications ActCastle Megastore Group, Inc. v. Wilson, 2013 WL 672895 (D. Ariz. Feb. 25, 2013)

In closing arguments to the jury at the O.J. Simpson murder trial, defense attorney Johnnie Cochran famously quipped, “If it doesn’t fit, you must acquit.”  Plaintiff’s attorneys looking to add a Stored Communications Act (SCA) claim to their complaint would do well to heed Cochran’s advice.  There have been a rash of cases dismissing ill-fitted SCA claims (see my recent posts here and here).  Castle Megastore Group, Inc. v. Wilson is the latest.

Castle Megastore Group, Inc. (CMG) sued its former employees for allegedly sharing confidential company information with other companies while they were still employed at CMG.  CMG claimed that Flynn, who was employed by CMG as its “Social Media Specialist,” violated the SCA by posting a video of a confidential CMG managers meeting on Vimeo, a third party website, and sending co-workers the link to the video and the password to his personal Vimeo account.

This scenario didn’t fit into within the prohibitions of the SCA, the court said.  CMG argued that Vimeo was an “electronic communication service” within the meaning of the SCA, that the defendants knew the video contained confidential content before accessing it, and that Flynn lacked authority to give others access to the video.  The court agreed that Vimeo is an electronic communication service, but Vimeo is where Flynn shared the video, not where he obtained it.  The CMG did not allege that Flynn obtained the video through unauthorized access to a CMG-owned electronic communication service.  Flynn was authorized to grant access to his personal Vimeo account.  Sharing a link and password to that account did not violate the SCA, the court ruled.

LegalTXTS Lesson:  Read the SCA carefully before making a claim under it.  Understand how the various concepts in the statute (like “access,” “without authorization,” “facility,” and “electronic communication service”) fit together.  Just because one or more of the concepts is present in a given situation doesn’t mean you’ve a viable SCA claim.

Single words and subject lines in electronic messages are “content” protected by the Stored Communications ActOptiver Australia Pty, Ltd. v. Tibra Trading Pty. Ltd. & Ors., 2013 WL 256771 (N.D. Cal. Jan. 23, 2013)

Optiver sued its former employees in Australia for allegedly stealing its proprietary source code and using the code to start a competing company, Tibra.  The Australian court allowed Tibra to conduct discovery of emails from Google after finding Tibra’s discovery responses inadequate.  Optiver subpoenaed Google to produce documents relating to emails and Google Talk messages containing the terms “PGP” or “Optiver.”  Tibra moved to quash the subpoena, arguing that the Optiver was improperly requesting the content of communications in violation of the Stored Communications Act (SCA).

Optiver countered with three arguments.  First, “PGP” is the name of an encryption system, not content.  Second, Optiver said that it wanted the documents not to discover the substance of the communications, but to locate communications that might be relevant to the foreign litigation.  Third, if the email has been encrypted through PGP, Optiver cannot access the content without the proper encryption key and pass phrase, which it did not have.  The court was unpersuaded.  Content is content, no matter how insignificant, the court said.  The words “PGP” or “Optiver” in the body of a message qualify as content that the SCA protects.

Optiver also argued that subject lines of email communications and Google Talk messages are not protected by the SCA and should be disclosed.  Wrong again, the court said.  The subject line is “nothing less than a pithy summary of the message’s content.”  For support, the court pointed to the legislative history of the SCA.

A personal cell phone is not a “facility” within the meaning of the Stored Communications ActNavarro v. Verizon Wireless, L.L.C., 2013 WL 275977 (E.D. La. Jan.24, 2013)

A federal court in Louisiana recently ruled that a hacking and “sexting” victim could not sue under the Stored Communications Act (SCA).  The plaintiff (Navarro) visited a cell phone store and accepted the offer from a Verizon sales associate to try a new cell phone model for two weeks.  Navarro later returned the trial phone to the store and had a different Verizon sales associate (Stillwell) transfer data from the trial phone back to her phone.  After leaving the store, she received a message on her phone from an unknown number.  The message contained nude photographs of Navarro that she had taken using her phone’s camera.  When Navarro’s mother confronted the manager of the cell phone store, Stillwell admitted that he copied the photos from Navarro’s phone for his own use and accidentally sent them to Navarro from his phone.

Navarro sued Verizon and the cell phone for violating the SCA, among other theories.  She inadvertently omitted a claim for punitive damages under the SCA, however, and asked the court for permission to add such a claim.  The defendants argued that the claim would be futile because a personal cell phone is not a “facility” under the SCA.  Liability under the SCA requires the unauthorized intentional access of “a facility through which an electronic communication service is provided” to obtain, alter, or prevent “authorized access to a wire or electronic communication while it is in electronic storage in such system.”  18 U.S.C. § 2701(a).

The court agreed with the defendants.  In a Fifth Circuit case, the court concluded that the SCA envisions regulation of network service providers (like Verizon).  A home computer of an end user does not qualify for SCA protection.  Relying on that case, the court ruled that a personal cell phone is not a “facility.”  While a cell phone enables the use of an electronic communication service, it is not itself such a service.  The information stored on a cell phone therefore is not in “electronic storage.”  Navarro suggested that the defendants might have copied her photographs from a “cloud based” storage system run by Verizon, but there was no evidence of that, so the court rejected the theory.  Navarro was denied permission to add a punitive damages claim under the SCA.