On June 5, a U.S. District Court for the Northern District of Ohio, in Lazette v. Kulmatycki,1 held that a supervisor, using a company-owned BlackBerry mobile device to access a former employee’s personal e-mail, was not authorized by the mere fact that the device belonged to the employer. Such access, the court found, may violate the Stored Communications Act (SCA).2 This ruling, denying in part the defendants’ motion to dismiss, could affect employer-employee privacy expectations when employees use company-owned devices for personal e-mail or storage under “bring your own device” (BYOD) policies.
In Lazette, the plaintiff, a former Verizon employee, claimed that her then-supervisor read more than 48,000 of her personal e-mail messages using the company-issued BlackBerry she returned when she left the company. The plaintiff asserted that Verizon provided the device for her use and was told that she could use the device for personal e-mail. During her employment, the plaintiff used the device to access her Google Mail (Gmail) messaging account and believed she deleted the account information from the device when she returned it to her employer.
She later learned that her supervisor had not deleted her personal e-mail account information but instead had been accessing the account for a period of 18 months. In addition, she alleged that he had disclosed to others the contents of her e-mails. Upon learning of this unauthorized access, the plaintiff changed her e-mail password but not before her former supervisor had accessed the tens of thousands of personal e-mail messages found there.
After the plaintiff brought her action against Verizon and her former supervisor, defendants filed a motion to dismiss, asserting, among other things, that:
relief under the SCA is not available because the SCA is intended only for “high-tech” criminals and “computer hackers”
the supervisor had authority to access the plaintiff’s e-mail messages, and
Verizon is exempt from the SCA, because the complaint did not make clear that the plaintiff’s personal e-mail account was separate from her company account.
The court first held that the SCA applies to all defendants, observing that the SCA was not meant to apply only to “computer hackers,” but to all “persons or entities in general” who “access electronic data without authorization or in excess of authorization.” While other courts have stated that the “general purpose” of the SCA was to create a cause of action against “computer hackers (e.g., electronic trespassers),” the Lazette court stated that hackers are not the only subjects of the statute, and the defendants’ conduct fell within the SCA’s scope.
The court then ruled that the employer and supervisor did not have the authority to read the plaintiff’s personal e-mail. The court rejected the defendants’ arguments that the supervisor’s access was authorized because he was using a company-owned device, that he did not use a “facility” under the statute, and that the plaintiff authorized his access because she had not expressly told him not to – in effect, that the plaintiff implicitly consented to his access by not fully deleting her Gmail account information before returning the BlackBerry. The court held that the mere fact that the plaintiff used a company-owned device to access her personal e-mail account did not grant automatic access to her employer. Further, Verizon was held to be vicariously liable for the supervisor’s actions in this case.
The SCA incorporates a definition of “electronic storage” that courts have interpreted as including only those e-mail messages that have yet to be opened by the intended recipient. Accordingly, the Lazette court ruled that the defendants could only be held liable for those messages the supervisor read that the plaintiff had not already opened. The court noted, however, the possibility of liability for opened messages under the plaintiff’s privacy tort claims.
Even though this case concerns the unauthorized access of an ex-employee’s personal e-mail account by the former employer, all employers should pay careful attention to this case as it progresses. Meantime, companies should consider taking a few steps to limit risk of liability. First, if your company has a BYOD policy, the language of this policy should be reviewed to ensure that employees are given clear notice through—as the Lazette court described them—“precise terms” in the company’s privacy policies. Second, employers should use caution when accessing employees’ personal data or e-mail, even when using company-owned devices. Finally, it is important that employers obtain from employees informed consent to employer access before issuing company-owned devices that can be used for personal e-mail communications and storage.
1 Case No. 3:12CV2416, 2013 U.S. Dist. LEXIS 81174 (N.D. Ohio June 5, 2013).
2 18 U.S.C. § 2701 et. seq.