Close
Updated:

Under SCA, Cloud-Based Emails Remain in “Electronic Storage” Even After They’ve Been Read

The Stored Communications Act (“SCA”) establishes a criminal offense for whoever “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a). The SCA also creates a civil cause of action, in which the plaintiff may obtain damages plus reasonable attorneys’ fees and other costs. 18 U.S.C. § 2707(b).

Federal district courts around the country have reached inconsistent conclusions when grappling with the issue of whether a particular communication is in “electronic storage” at the time it is accessed. The SCA defines electronic storage as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17). Some courts have interpreted subsection (A) as applying only to “unopened” communications, reasoning that the “temporary, intermediate” language contemplates the interception of a communication before it reaches its intended recipient. Others, like Hoofnagle v. Smyth-Wythe Airport Comm’n, No. 1:15CV00008 (W.D. Va. May 24, 2016), found no reason to draw a distinction between “opened” and “unopened” communications for purposes of evaluating SCA liability. Similar disagreement exists with respect to subsection (B), where courts reached different conclusions about the relevance of whether it is the Internet Service Provider or user for whose benefit a backup copy of an email is made. Earlier this month, the Fourth Circuit weighed in on both issues for the first time.

Here’s what happened in Hately v. Watts, according to the opinion. Hately was a student at Blue Ridge Community College, where he was assigned an email address, hosted by Google, that he continued to use after graduation. From 2011 to 2015, Hately was romantically involved with Nicole Torrenzano, with whom he shared his login and password information for this email account. The two broke up after Hately learned that Nicole was also involved with Dr. David Watts, but Hately did not change his email password. A few months later, Nicole told Dr. Watts that Hately was having an affair with Dr. Watts’ wife, and that he was welcome to poke around in Hately’s Blue Ridge College email account (using the password Hately had previously given her) to see the incriminating emails for himself. So he did, but claimed he only viewed emails that had already been opened.

Hately sued both Nicole and Dr. Watts on a number of legal theories, including violation of: (1) the Computer Fraud and Abuse Act (18 U.S.C. § 1030); (2) the Stored Communications Act (18 U.S.C. § 2701 et seq.); and (3) the Virginia Computer Crimes Act (Va. Code § 18.2-152.1 et seq.). The case has a fairly complicated procedural history that I’m not going to get into. Suffice it to say, the district court dismissed the CFAA and computer-crimes claims, and entered summary judgment in favor of Dr. Watts on the SCA claim. The two key issues on appeal were whether the district court correctly dismissed the computer-crimes claim and whether it correctly entered summary judgment on the SCA claim. The Fourth Circuit held that the district court was wrong on both counts.

The district court had dismissed the computer-crimes claim on two grounds: first, collateral estoppel, in that the court had ruled in an earlier related case that Hately had failed to allege damages sufficiently; and second, because he failed to plausibly allege injury to person or property as required by the Virginia Computer Crimes Act. It was error to apply collateral estoppel, said the Fourth Circuit, because it was unclear from the prior ruling whether the dismissal was because the categories of damages alleged in the first complaint were not actionable as a matter of law, or because the plaintiff had failed to plead them with sufficient specificity. Moreover, Hately had alleged injury sufficient to satisfy the statute, so that count should not have been dismissed.

The Virginia Computer Crimes Act provides that “any person whose property or person is injured” by an act that violates the statute can bring a civil action for damages. (See Va. Code § 18.2-152.12(A)). Hately had alleged various forms of consequential damages, which the court found sufficient to state a claim. He alleged, for example, that he had to make several calls to Blue Ridge technical support; that he reviewed hundreds or thousands of emails to locate emails that had been deleted without his having seen them; and that he invested time and money to “track and prevent” future unauthorized access. The court held it was premature to place a value on those alleged losses, but that the allegations were sufficient to survive a 12(b)(6) motion to dismiss.

So then the court proceeded to address the SCA claim, which had resulted in summary judgment in Watts’ favor due to the trial court’s finding that “previously opened and delivered emails” stored in a web-based email client were not in “electronic storage” within the meaning of the SCA.

The Fourth Circuit began its analysis by digging into the legislative history, noting that the SCA was motivated in large part by privacy concerns raised by the widespread use of email systems that stored emails in the cloud. The legislative history also confirmed what most courts seem to agree on regarding electronic storage; namely, that there are two distinct types: (1) storage incidental to transmission, and (2) backup storage.

With respect to the first type, the court agreed with those district courts finding that once an email has been read by the recipient, it is no longer in “temporary, intermediate” storage. Thus, subsection (A) of 18 U.S.C. § 2510(17) only applies to emails in the middle of a transmission. Once they are read, the transmission has been completed and the storage is no longer temporary in nature. That brings us to part (B).

Even if an email has already been read, it will be deemed in “electronic storage” under the SCA if it is being stored by an electronic communication service “for purposes of backup protection.” The court found that if a person reads an email and decides not to delete it but allow it to remain on the ISP’s server, the email is being “stored” by definition. On the question of whether that storage is for purposes of backup protection, the court held that a backup is simply a copy of computer data, and that it didn’t really matter whether a duplicate copy of the email existed.

ISP’s like Google typically store emails on multiple servers as a matter of routine practice. Every email gets duplicated numerous times and stored in various locations. More copies are made when a user reads an email on a personal device. All of these copies benefit both the ISP and the user. The court held that it ultimately doesn’t really matter for whose purposes a backup is made. Electronic communication services like Google make numerous copies of every email message transmitted through their systems for the purpose of providing backup protection to their users.

The court rejected the argument that the existence of a “backup” file presupposes the existence of an “original.” When dealing with email, what’s an original, anyway? Wouldn’t that be the message as typed by the sender? That “original” would typically be copied many times along its electronic journey to the recipient’s email-reading client. In other words, every email that has been transmitted to someone is essentially a copy.

The opinion gets very technical, so give it a read if you want to learn more about how email works. But the holding is pretty simple: previously delivered and opened emails stored by an electronic communication service are stored for “purposes of backup protection” and are therefore in “electronic storage” within the meaning of the SCA, provided all other requirements are met.

 

Contact Us