Protecting Employee E-mail Accounts

By Brian J. Pulito, Meadville, PA

 

This article addresses the emerging tide of federal litigation by employees against their employers, occasioned when an employer reviews his employee’s e-mail without authorization. These lawsuits have been filed pursuant to the Stored Communications Act (SCA).[1] The recent wave of litigation filed under the SCA demonstrates a continued need for plaintiff attorneys with knowledge and expertise in the intricacies of the Act.

It is hard to imagine life in a modern business office without computers. It is equally hard to imagine life in a business office without e-mail. For most modern employees, e-mail is a necessary tool for many aspects of their job. It is not uncommon for an employee to use multiple e-mail accounts while at work. Invariably, one of those accounts is provided by his employer.

Typically, the e-mail servers over which work accounts operate are owned and administered by the employer. Such servers are usually located in the same office building as the employee. At other times, the employer will purchase work related e-mail accounts for their employees through a third-party provider, e.g., Gmail, 1-800-Hosting, etc.

In addition to work e-mail accounts, most employees will also own a personal e-mail account. The e-mail servers over which offsite work e-mail accounts and personal e-mail accounts operate are owned and administered by either an internet service provider, such as AOL, or through a Web-based e-mail company, such as Hotmail or Gmail.

In 1968 Congress passed the Omnibus Crime Control and Safe Street Acts of 1968. Title III of that Act, which is commonly known as the Wiretap Act, provides civil and criminal penalties for the illegal interception of wire and oral communication.

In the late seventies through the mid-eighties, the world experienced a proliferation of new electronic technologies that fundamentally changed electronic communications from what existed in 1968. Congress was unclear which of the new communication forms were covered by the Wiretap Act. Additionally, there was substantial concern that many evolving electronic communication formats, while in electronic storage, were vulnerable to government intrusion as well as trespass from computer hackers.

These concerns led to the passage of the Electronic Communication Privacy Act of 1986 (ECPA). The purpose of the Act was to “update and [to clarify] Federal privacy protections and standards in light of dramatic changes in new computer and telecommunications technologies.”[2]

The Act was divided into three titles. Title I amended Title III of the Wiretap Act. Title II added a new chapter to Title 18 of the United States Code which prohibits the unauthorized access to or disclosure of wire or electronic communications held in electronic storage.[3]

Titles I and II to the ECPA are commonly referred to as the Amended Wiretap Act, and the Stored Communication Act (SCA), respectively. The Amended Wiretap Act[4] and the SCA provide criminal and civil penalties if they are violated.[5] The SCA and the Amended Wiretap Act also provide a comprehensive procedural scheme though which law enforcement agencies may lawfully obtain stored electronic communication and intercept wire or electronic communication.[6]

A complete discussion on employer liability under both the Amended Wiretap Act and the SCA is a subject for a lengthier article. The focus of this article is employer liability for the unauthorized review of employee e-mails under the SCA.[7] This article will discuss that topic in three parts: (1) an examination of Section 2701 of the SCA; (2) employer liability for review of an employee’s work e-mail account; and (3) employer liability for review of an employee’s personal e-mail account.

 

Section 2701 of the SCA

Under § 2701(a) of the SCA, a person is civilly and criminally liable if he or she:

 

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access [a facility through which an electronic communication service is provided];

 

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.[8]

 

            The phrase “Electronic Communication” is defined as the “transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”

The SCA defines “electronic storage” as:

 

(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and

 

(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.[9]

 

A system that sends or receives e-mail is considered an electronic communication service because it “provides to users…the ability to send or receive wire or electronic communications.”[10]

There are two notable exceptions to liability under Section 2701(a). The first is the “provider exception,” which removes from the coverage of Section 2701(a): “a person or entity [who provides] a wire or electronic communications service.” The second exception covers a person or entity that is “a user of [an electronic communication service] with respect to a communication of or intended for that user.” The SCA provides a private right of action for its violation.[11] It also permits the collection of attorney fees, punitive damages, and actual damages of not less then $1,000.[12]

 

Employer Liability for Review of an Employee’s Work E-mail Account

Generally, an employer is not liable under Section 2701(a) if she reviews an employee’s work e-mail account. The courts have held that the provider exception applies to such accounts.[13] The most notable case to have addressed the provider’s exception is Fraser v. Nationwide Mutual Insurance Co. In Fraser, Nationwide Insurance operated and maintained an electronic file server for e-mail communication. Fraser signed an Agent’s Agreement with Nationwide; that agreement required Fraser to sell only Nationwide Insurance policies. The Agent’s Agreement could be terminated at will by either Fraser or Nationwide with advance notice.

While still subject to the Agent’s Agreement, Fraser complained to Nationwide’s Office of Ethics, the Pennsylvania Insurance Department, and the Pennsylvania Legislature, about certain business practices of Nationwide that he believed were illegal. Subsequent to lodging these complaints, Fraser was asked by a group of fellow Nationwide Insurance agents to draft a letter to competitors of Nationwide to solicit their interest in acquiring the Nationwide policyholders who signed policies with Fraser and the other Nationwide Insurance agents. Fraser drafted and circulated the requested letter.

An executive of Nationwide learned of Fraser’s letter. Initially, the Nationwide executive did not know whether the letter had been mailed. To determine if it had, the executive searched the Nationwide e-mail server for any e-mail from or to Fraser concerning the letter. Nationwide discovered an e-mail, which indicated the letter had been mailed to at least one competitor. Nationwide canceled Fraser’s Agent’s Agreement.

Fraser sued Nationwide for, inter alia, violating Section 2701(a) of the SCA. Nationwide moved for summary judgment, which the court granted. The court ruled that the SCA did not apply to e-mail which has already been read by its recipient, because such e-mail is not in “electronic storage.”[14] The court further explained that e-mail can exist in three phases: (1) intermediate storage; (2) back-up protection storage; and (3) post-transmission storage.[15] The first two e-mail phases occur while the e-mail is en route to its recipient. The system which creates the e-mail saves one copy of that e-mail in “intermediate storage” and another copy in a separate location in “backup storage.” The court reasoned that saving two copies of the same e-mail in two separate locations ensures that if the e-mail system crashes, the e-mail is not lost. The court then reasoned that once the e-mail is read, it passes into the third and final phase: post-transmission.[16]

The court held that an e-mail in the post-transmission phase is not in “electronic storage.”  The court concluded that an e-mail is in electronic storage if it falls within part A or B of the definition of electronic storage. Under part A the e-mail has to be in: “temporary, intermediate storage…incidental [to its] transmission.” Under part B the e-mail has to be “[in] storage…for [the] purposes of backup protection.” The court held that e-mail in the intermediate storage phase falls within part A, while e-mail in the backup phase falls within part B. Without further explanation, the court held that e-mail in the post-transmission phase is not in backup protection under part B.

Although the Third Circuit upheld the District Court’s holding, it rejected the District Court’s conclusion that e-mail in the post-transmission phase is not in electronic storage. On appeal, the Third Circuit held that Nationwide’s review of Fraser’s e-mail did not violate the SCA because Nationwide owned and administered the e-mail server.[17] Therefore, Nationwide fit within the provider’s exception to SCA.[18] Other courts have followed the same reasoning.[19]

The provider exception has been applied to other mediums of electronic communication.[20] From the reasoning of the Third Circuit and other courts, the provider exception applies if the employer owned, operated, or administered the system which provided its employees the ability to send or to receive electronic communication.[21] Therefore, the employer is not liable if he reviews an employee’s work e-mail accounts.

What is less clear is whether the provider exception applies to offsite work e-mail accounts. The employer owns and pays for these accounts which provide the employees with the ability to send or receive e-mails. However, the server where the e-mail is stored is owned and administered by a third-party, not the employer. Although there are no reported cases that reach this issue, it is logical to conclude that the provider exception covers an employer in such cases; the employer’s purchase of the account provides employees with an electronic communication service.

 

Employee Personal E-mail Accounts

            Unlike work e-mail accounts, an employer is liable if she accesses an employee’s personal e-mail account without authorization.[22] The seminal case on this issue is the 2002 decision by the Federal District Court for the Western District of Wisconsin in Fischer v. Mt. Olive Lutheran Church, Inc.[23]

The plaintiff in Fischer was the Minister of Youth and Children Ministries for the defendant, Mt. Olive Lutheran Church, Inc. The plaintiff opened an e-mail account with Hotmail, a free web-based e-mail provider. The plaintiff used his work computer to access his Hotmail account. The defendant hired a computer expert to examine the plaintiff’s work computer, after two of its employees overheard what they claimed to be an obscene telephone call. The expert gained access to the Hotmail account by correctly guessing the plaintiff’s password.[24] Several of the plaintiff’s e-mails were then printed from the Hotmail account and delivered to the employer. At some point after the Hotmail account was accessed, the plaintiff was unable to gain access to that account. It is not clear from the case whether the defendant disabled the plaintiff’s password on his Hotmail account.

The plaintiff sued his employer for, inter alia, violating § 2701 of the SCA. The employer moved for summary judgment on the SCA claim. It argued that the SCA did not apply to the e-mail on the plaintiff’s account because it was not in electronic storage. Citing Fraser, the employer argued that the SCA claim failed because the e-mails had already been opened and read.

The court rejected the employer’s argument and distinguished Fraser. The court reasoned that in Fraser the employee’s e-mails were stored on the employer’s e-mail server, while the e-mail obtained in Fischer were stored on Hotmail’s remote server.

The court further noted that to violate § 2701 a person must: (1) illegally access e-mails in electronic storage on an e-mail server which that person does not own; and (2) obtain, alter, or prevent access to those e-mails. In Fischer, the court refused to grant summary judgment on the SCA claim, because it found there still was a factual issue in dispute, i.e., whether the employer had printed and thus obtained e-mails in electronic storage.

Fischer stands for the proposition that employers are liable if they access the personal e-mail account of employees without their authorization. Furthermore, Fischer demonstrates that employers are liable for accessing employees’ personal e-mail accounts, even if that personal e-mail accounts are accessed from an employer-provided work computer.

Section 2701 of the SCA prohibits “unauthorized” access to stored communications. Therefore, conduct which is authorized can never be a violation of the SCA. An employer could defend a § 2701(a) claim on the grounds that he had the employee’s authorization to accesses his or her account. If that authorization is direct, i.e., the employee has granted the employer the right to review his or her personal e-mail account, there is little doubt that an employer is not liable for reviewing that account.

What is less clear is whether an authorized user of an e-mail account to which access is available to two or more authorized users, can authorize a third person to access that e-mail account. One could imagine a situation where an employer requests authorization from an account holder of a multi-user e-mail account to review the e-mail of another person authorized to use that account. If the employer did not also obtain authorization from such other user, is reviewing that account a violation of the SCA? A ruling from the Ninth Circuit Court of Appeals in Konop v. Hawaiian Airlines, Inc., suggests that an employer would not violate Section 2701(a) in such a case.[25]

Konop did not involve e-mail. Rather, the issue in that case was whether an employer was liable under the SCA when one of its executives gained unauthorized access to a Web site owned by one of its employees. The defendant was Hawaiian Airlines, Inc., and the plaintiff was one its pilots. The plaintiff maintained a Web site where he posted bulletins critical of the Defendant and his Union. The Web site restricted its access to pilots of the Defendant.

An executive of the defendant approached two pilots who were authorized to access the Web site and asked each for permission to use their names so he could gain access to that site. The pilots agreed. There was no evidence in the record to indicate whether the pilots had ever used the Web site in the past. When the pilot discovered the executive’s conduct, he filed suit, alleging, inter alia, that the airline’s actions violated § 2701(a) of the SCA.

The airline moved for summary judgment asserting that the SCA did not apply because its executive was a “user” of the plaintiff’s Web site. He was therefore excepted under § 2701(c)(2). The airline argued that because the two pilots who consented to the airline executive’s use of their names were authorized to access the Web site, their consent was sufficient to authorize lawful access to the Web site. The district court agreed with the airline and granted summary judgment in its favor.

The Ninth Circuit reversed the district court, holding that the executive was not covered by the “user” exception when the two pilots authorized him to access the Web site. However, the court also concluded that if the two pilots had actually used the Web site before they authorized the executive to use their names, then that authorization would have made the defendant’s executive an authorized “user.” The court reached this conclusion from other sections of the SCA and the Amended Wiretap Act which permit a user to authorize a third-party to access electronic or wire communication. From those sections, the court concluded that § 2701(c)(2) also allowed a “user” to authorize a third-party to access stored electronic communication. However, the Court held that because the definition of user covers “any person or entity who uses [an] electronic communication service” the pilots needed to have actually used the Web site before their authorization could become effective. Because there was no evidence in the record that the consenting pilots actually used the site, the court remanded the case.

While Konop did not deal with an employer’s review of an employee’s e-mail, its reasoning would likely extend to cover such a case. The privacy of employees in their personal e-mail accounts may be in jeopardy if the Ninth and other Circuits extend the reasoning of Konop to apply to e-mail accounts.

There is little risk to personal e-mail accounts after Konop. Because of the availability of free e-mail accounts today, few people actually share an e-mail account. However, Konop is most troubling in what it failed to discuss: Who are users with authorization to consent to a third-party’s review of stored electronic communication? It is not hard to imagine the situation where an e-mail account only lists one person on the account, but others are permitted to access that account to send and receive messages, i.e., husband and wife, parent and child, friends, etc. Has the named account holder converted his or her e-mail account into a multi-user account?

If the answer is yes, does it then follow from the reasoning of the Court in Konop that a person who uses that e-mail account, but is not the named account owner, has the authority to consent to the review of that e-mail account by the employer of the named account holder? Some employers might argue that such a result is not unreasonable. They may argue that an employee who shares his e-mail account with another has no expectation of privacy in that account. If that employee has through his or her actions expressly or impliedly consented to the use of that account by another, it may be reasonable to expect that the second user may authorize another to access and review that account. As of the writing of this article, no court has addressed this issue. To ensure the protection of the SCA in their private e-mail account, an employee should never permit another the right to send or receive e-mail from his or her private e-mail account.

The Ninth Circuit did provide some limited guidance to the potential reach of its Konop decision. It cited § 2702(b)(1) of the SCA and  § 2511(2)(c) and (d) of the Amended Wiretap Act in a footnote in which it reasoned that other sections of the SCA and the Amended Wiretap Act authorize a user to consent to a third-party’s review of stored electronic communication. Section 2702(b)(1) permits an e-mail provider, such as Hotmail, the right to divulge the contents of stored communication to either the addressee of that communication or its intended recipient. Sections 2511(2)(c) and (d) allow one party to a wire communication to authorize a third-party to intercept the communication.

However, the court’s recitation of these sections is not very helpful. Section 2702 of the SCA covers the disclosure of stored communication and not the unlawful access of such communication. Furthermore, the Amended Wiretap Act covers the unlawful interception of electronic and wire communication and does not extend to access of such communication while in storage. Konop never had to reach the issue of who is an authorized user because it was undisputed from the record that the pilots were persons authorized to access the Web site.   

 

Conclusion

The SCA offers employees real protection against employer intrusion into the privacy of their personal e-mail accounts. With the continued proliferation of the internet and electronic technology the number of lawsuits filed under the SCA will likely grow. Plaintiff attorneys should familiarize themselves with the SCA.