A recent Ohio federal court decision serves as a reminder that companies need to review their Bring Your Own Devices (BYOD) policies to ensure that employees are adequately informed about the communications that corporate employers can monitor during and after employment.
In Lazette v. Kulmatycki, the U.S. District Court for the Northern District of Ohio ruled that a former employer may violate the Stored Communications Act (SCA) by accessing electronic information through a company-issued smartphone after an employee has left the company. In this case, a former employee alleged that her former supervisor continued to read 48,000 personal e-mails on her company-issued BlackBerry for 18 months after she had turned in the device.
The employee was told that she could use the device for work as well as personal matters. Before she turned in the phone, she deleted her work e-mails, but inadvertently left her personal e-mail account accessible. Her former supervisor continued to read opened and unopened mail until she changed her password.
A violation of the SCA occurs when someone "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains… access to a wire or electronic communication while it is in electronic storage in such system[.]" The court rejected the defendants' argument that the SCA's congressional intent is to reach computer hackers only. It found that the Act's purpose is generally to "prohibit persons and entities from intentionally accessing electronic data without authorization or in excess of authorization."
The court highlighted that the employee "neither knew nor approved" of her supervisor accessing her personal e-mails. And even if the employee inadvertently left her personal e-mail account accessible, such actions would not establish "implied consent," as the employee was unaware of the possibility that others might access her future e-mails from the account.
The court was careful to distinguish between the employee's e-mail account—which was a "facility" under the SCA—and her computer or BlackBerry, which were not a facility. This ruling is consistent with the Fifth Circuit's recent ruling in Garcia v. City of Laredo.
The court also found that protection under the SCA only extended to personal e-mails that the employee had not opened. E-mails that had been opened and not deleted did not constitute "electronic storage" because they were not being kept "for the purposes of backup protection." As a result, the supervisor's reading of the previously opened e-mails may not violate the SCA. This finding highlights a current split among the U.S. Courts of Appeals, some of which, including the Ninth Circuit, have held that opened e-mails are protected under the SCA.
The Lazette case is a timely reminder to corporate employers with dual-use policies that employers do not necessarily have unfettered rights to all communications that exist, or may be accessed, through a company-provided device or computer. To the contrary, access to accounts protected under the SCA requires explicit employee consent.
The webinar "Avoiding the Pitfalls of 'Bring Your Own Device' Policies," presented on June 12, 2013, may be of interest. Slides and a recording of the webinar are available for your reference.