Ohio Federal Court Addresses Privacy Rights around Employee Smartphones


A recent Ohio federal court decision serves as a reminder that companies need to review their Bring Your Own Devices (BYOD) policies to ensure that employees are adequately informed about the communications that corporate employers can monitor during and after employment.

In Lazette v. Kulmatycki, the U.S. District Court for the Northern District of Ohio ruled that a former employer may violate the Stored Communications Act (SCA) by accessing electronic information through a company-issued smartphone after an employee has left the company. In this case, a former employee alleged that her former supervisor continued to read 48,000 personal e-mails on her company-issued BlackBerry for 18 months after she had turned in the device.

The employee was told that she could use the device for work as well as personal matters. Before she turned in the phone, she deleted her work e-mails, but inadvertently left her personal e-mail account accessible. Her former supervisor continued to read opened and unopened mail until she changed her password.

A violation of the SCA occurs when someone "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains… access to a wire or electronic communication while it is in electronic storage in such system[.]" The court rejected the defendants' argument that the SCA's congressional intent is to reach computer hackers only. It found that the Act's purpose is generally to "prohibit persons and entities from intentionally accessing electronic data without authorization or in excess of authorization."

The court highlighted that the employee "neither knew nor approved" of her supervisor accessing her personal e-mails. And even if the employee inadvertently left her personal e-mail account accessible, such actions would not establish "implied consent," as the employee was unaware of the possibility that others might access her future e-mails from the account.

The court was careful to distinguish between the employee's e-mail account—which was a "facility" under the SCA—and her computer or BlackBerry, which were not a facility. This ruling is consistent with the Fifth Circuit's recent ruling in Garcia v. City of Laredo.

The court also found that protection under the SCA only extended to personal e-mails that the employee had not opened. E-mails that had been opened and not deleted did not constitute "electronic storage" because they were not being kept "for the purposes of backup protection." As a result, the supervisor's reading of the previously opened e-mails may not violate the SCA. This finding highlights a current split among the U.S. Courts of Appeals, some of which, including the Ninth Circuit, have held that opened e-mails are protected under the SCA.

The Lazette case is a timely reminder to corporate employers with dual-use policies that employers do not necessarily have unfettered rights to all communications that exist, or may be accessed, through a company-provided device or computer. To the contrary, access to accounts protected under the SCA requires explicit employee consent.

The webinar "Avoiding the Pitfalls of 'Bring Your Own Device' Policies," presented on June 12, 2013, may be of interest. Slides and a recording of the webinar are available for your reference.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:


Ballard Spahr LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.