A recent US district court ruling against Verizon illustrates how important it is for employers that provide employees with electronic devices for both business and personal purposes to effectively manage employees' privacy expectations and adequately train supervisors.
In Lazette v. Kulmatycki (Case No. 3:12CV2416, 2013 U.S. Dist. LEXIS 81174 (N.D. Ohio June 5, 2013)), the court held that a supervisor lacked authority to use an employer-owned smartphone to access a former employee's personal email, and that the supervisor's access may have violated the Stored Communications Act (SCA). Nevertheless, the court said that Verizon may ultimately be held vicariously liable for the supervisor's actions.
Stuart R. Buttrick, a Partner in the Indianapolis office of Faegre Baker Daniels LLP, has graciously shared his expertise with XpertHR regarding the proactive steps employers can take to prevent the type of workplace privacy violations that are at issue in this case.
A Verizon Wireless employee was given a company-owned smartphone, which she was told she could use for personal email in addition to work-related purposes. The employee used the electronic device to access her personal email messaging account. After her employment with Verizon ended, the employee thought she had deleted the account information from the smartphone before returning it to her supervisor. The employee believed that Verizon would recycle the device for use by another employee.
However, the employee later learned that her former supervisor had not deleted her personal email account from the device and that he had been accessing at least 48,000 personal emails over an 18-month period. The supervisor had accessed communications regarding the employee's family, career, financials, health and other personal matters. The supervisor also had disclosed the contents of some of the emails to others, all without the employee's consent or authorization. As soon as the employee became aware of the supervisor's actions, she changed her password to prevent any further unauthorized access.
The employee filed claims against the supervisor and Verizon under the SCA. Verizon and the supervisor filed a motion to dismiss the employee's lawsuit arguing, among other things, that:
The SCA only applies to "high-tech" criminals such as computer hackers;
The supervisor had authority to access the employee's email messages on the Verizon-owned smartphone;
The employee implicitly authorized the supervisor's access because she had not expressly forbidden him to read her emails and failed to delete her personal email account; and
The employee's version of events did not fulfill a number of the SCA's liability requirements, including that the emails were not in electronic storage when the supervisor read them.
The court rejected Verizon's and the supervisor's arguments regarding the SCA's exclusive application to computer hackers. The court reasoned that, while other courts have noted that the purpose of the SCA is "primarily" to ensure recourse against "computer hackers," the term "'primarily' does not mean 'exclusively.'" Instead, the court held that the SCA applies to all "persons or entities in general" and prohibits intentional access of electronic data without authorization or in excess of authorization. Accordingly, Verizon and the supervisor could be liable under the SCA.
In addition, the court concluded that the "mere fact" that the supervisor used an employer-owned device to access the employee's personal emails did not mean he did so with authorization.
The court next rejected the argument that the employee had "implicitly authorized" the supervisor's actions, reasoning that the SCA does not require an employee to expressly prohibit "an unknown and unexpected electronic intruder" to read personal emails. However, the absence of this directive from an employee may be a consideration if and when the court determines an award of damages at a later stage in the lawsuit.
The court also rejected the idea that because the employee failed to actually delete her personal account she may have "left her email door open for [the supervisor] to enter and roam around for as long and as much as he desired." The court reiterated that while consent under the SCA need not be explicit and can be implied, negligence is not the same as approval, "much less authorization." Moreover, even if the employee had been aware that her emails might be monitored, any such implied consent would not be unlimited. "Random monitoring is one thing; reading everything is another", the court emphasized.
Regarding Verizon's and the supervisor's arguments about the SCA's specific liability provisions, the court said that the SCA incorporates a definition of "electronic storage" that other courts have interpreted as including only those email messages that have yet to be opened by the intended recipient. Therefore, the court concluded that Verizon and the supervisor could only be held liable for the messages the supervisor read that had not already been opened. However, the court noted that if the employee can prove that the supervisor read already-opened messages that were highly personal and private, the supervisor could be liable for the common law claims of invasion of privacy or intrusion into seclusion.
Last, the court held that Verizon could be held vicariously liable for the supervisor's actions because, when the supervisor accessed the employee's emails without authorization, he was acting within the scope of his employment and in furtherance of Verizon's interests.
Preventing Privacy Violations
According to Stuart R. Buttrick, this case presents a "good cautionary tale for employers. It reminds employers to put employees on notice that the employer and members of management could conceivably access anything on a company-provided electronic device at any time."
Therefore, Mr. Buttrick says an employer's best practice is to put a policy in place that specifically states employees should have no expectation of privacy as to information on employer-provided electronic devices. In addition, employers should "have employees sign a consent" allowing the employer to access information on such equipment at any time.
Mr. Buttrick further advises employers to include in the policy that employer-provided devices and equipment are for business use only. "Some employers also block employees' access to personal email and social media accounts on company-provided electronic devices and equipment."
Lastly, Mr. Buttrick urges employers to "train managers and others that have the ability to access employees' electronic devices" because, in some circumstances, the employer can be liable for the supervisors' unauthorized or inappropriate use or behavior.