Unauthorized access to another’s email account can give rise to a variety of claims. The Computer Fraud and Abuse Act (“CFAA”), for example, prohibits a wide variety of improper computer activity, including unauthorized access to another’s email account. Specifically, it makes it illegal to intentionally access a computer without authorization and to thereby obtain information which results in a loss worth at least $5000 over the course of a year. (See 18 U.S.C. § 1030(a)(2)(C)). In Virginia, the Computer Crimes Act prohibits “computer fraud,” which occurs when a person uses a computer without authority and thereby obtains property or services by false pretenses. It also makes it a crime to commit “computer invasion of privacy,” which occurs when a person, without permission, logs onto someone else’s computer and examines that person’s employment, salary, credit, or any other financial information.
To obtain relief under the Virginia Computer Crimes Act, a plaintiff must have suffered injury to person or property. (See Va. Code § 18.2-152.12). And as mentioned above, you need at least $5000 in damages to recover anything under the CFAA. But what if someone hacks into your email and reads your personal messages without actually causing any direct pecuniary loss or personal injury?
Enter the Stored Communications Act (“SCA”), another federal law that criminalizes unauthorized access to email. It applies when someone “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility”; and thereby “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” (See 18 U.S.C. § 2701(a)). Stated a little more simply, there are basically three elements a plaintiff needs to prove to recover under the SCA:
- that without authorization, the defendant accessed a system through which an electronic communication service is provided (or that the defendant accessed such a system with authority, but exceeded the scope of that authority);
- that the defendant obtained (or altered, or prevented access to) a wire or electronic communication while it was in electronic storage in such system; and
- that the defendant acted intentionally.
The SCA has a distinct advantage for plaintiffs who haven’t really suffered identifiable harm as a result of the hacking or unauthorized access: actual damages are not necessarily required in order to bring a claim. If the unauthorized access was willful or intentional, a successful plaintiff can recover punitive damages even if no actual losses were sustained. Attorneys’ fees may also be awarded.
The damages provision of the SCA provides:
The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.
(See 18 U.S.C. § 2707(c)).
Courts have held that while actual damages are a prerequisite to obtaining the $1000 minimum in statutory damages, the right to punitive damages arises independently and does not require a showing of actual damages. (See, e.g., Hately v. Torrenzano (E.D. Va. May 23, 2017) (holding that “proof of actual damages is not required before an award of either punitive damages or attorney’s fees”). Thus, if an SCA violation is “willful or intentional,” courts may assess punitive damages and award attorney’s fees, even in the absence of any out-of-pocket loss caused by the infraction.