The Stored Communications Act (“SCA”), found at 18 U.S.C. §§ 2701-2712, establishes both a criminal offense and a civil cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” Successful plaintiffs may obtain damages, equitable or declaratory relief, and reasonable attorney’s fees. (See 18 U.S.C. § 2707(b)). In the employment context, the SCA is often understood to place restrictions on those situations in which an employer can access its employees’ private email accounts (i.e., accounts maintained by third-party email service providers like Google, Microsoft, and Yahoo). A few weeks ago, the Western District of Virginia decided Hoofnagle v. Smyth-Wythe Airport Commission, in which it rejected various justifications offered by an employer for accessing a former employee’s private Yahoo! email account.
Charles H. Hoofnagle was a government employee who worked as the Operations Manager for Mountain Empire Airport in Rural Retreat, Virginia. He reported to the Smyth-Wythe Airport Commission and his duties included answering phone calls and responding to emails from the public and customers. The Commission, however, did not have in place an official policy regarding use of computers or email. The airport did not even provide employees with an email address, so Hoofnagle created a Yahoo! Mail address, firstname.lastname@example.org, which he used for both personal and business purposes. (MKJ is the airport’s FAA idendifier code). It was this Yahoo! address that was held out to the public as an official contact for the airport and provided to nearly all vendors and customers.
A big proponent of Second Amendment rights, Hoofnagle had corresponded with United States Senator Tim Kaine on the issue of gun violence in America. In 2013, Hoofnagle sent an email to Senator Kaine, using his email@example.com address, and signed it “Charles H. Hoofnagle. Airport Operations Manager Mt. Empire Airport in south west Va. 276-685-1122”. The Commission terminated his employment and proceeded to go through his Yahoo! emails, purportedly to retrieve business-related emails. They accessed the account using a password provided by the airport secretary, who claimed Hoofnagle had provided it to her. Hoofnagle sued, claiming (among other things) that the Commission violated his rights under the SCA.
The defendants moved for summary judgment on several grounds, all of which were rejected by the court.
First, the defendants argued that the SCA did not apply because the Commission did not access emails that were “stored” as that term is defined in 18 U.S.C. § 2510 (17). Some courts have apparently held that email messages remaining on an internet service provider’s server after they have been read (as opposed to email stored on a personal computer’s hard drive) do not fall within the SCA’s definition of “electronic storage.” Judge Jones, however, wasn’t buying it. “I do not think it makes any difference whether an email stored on an internet service provider’s server has been opened or not. Internet service providers store all email, whether opened, read, sent, or even deleted,” the court reasoned.
Next, the defendants argued that even if the SCA applied, their conduct fell within an exception under subsection (c) of the SCA. The SCA exempts a party from liability if the conduct at issue was authorized “(1) by the person or entity providing a wire or electronic communications service; (2) by a user of that service with respect to a communication of or intended for that user; or (3) [as provided] in section 2703, 2704 or 2518 of this title.” (See 18 U.S.C. § 2701(c)). The defendants argued that the Commission was the electronic communications provider because the airport provided a company computer for Hoofnagle, which he used to access the Yahoo! account during work hours. The court responded that there is a difference between emails stored on an employer’s own computers and emails stored on accounts maintained by a third party electronic communication service provider like Yahoo!. No exception applied because the Commission accessed the emails by logging directly into the Yahoo! account where they were stored and viewing them directly from Yahoo!’s system. There was no evidence that emails from the Yahoo! account were ever downloaded or stored on the airport’s computers.
The court also rejected the argument that the Commission fell within the exception under (c)(2) for “users” of the Yahoo! account. While true that communications sent to firstname.lastname@example.org concerning airport business may have been intended for the Commission, Hoofnagle was clearly the person duly authorized by Yahoo! to use and access the account, not the airport or the Commission. It did not matter that that Commission used an airport computer to access the emails.
Even if the defendants’ conduct did not fall within an exception to the SCA, the defendants continued, there was no violation because Hoofnagle authorized the Commission and airport staff to access his Yahoo! account, and because Hoofnagle did not have a reasonable expectation of privacy in this email account. On these issues, the court found that issues of fact precluded summary judgment. It noted that even if Hoofnagle had given some authority to access his private email account, liability may arise under the SCA if the defendant “intentionally exceeds an authorization to access a facility through which an electronic communication service is provided, thereby altering or preventing authorized access.” (See 18 U.S.C. § 2701(a)(2)). It would be up to the jury to determine whether the Commission exceeded the scope of its authority (if any).
Finally, the defendants argued that even if they had violated the SCA, Hoofnagle could not recover because he had failed to prove any actual damages. The court had no trouble dispensing with this argument, holding that Hoofnagle may be entitled to recover punitive damages and attorneys’ fees without proof of actual damages. Actual damages are a prerequisite to obtaining statutory damages under the SCA, but not punitive damages or attorneys’ fees.
So what lessons should employers take away from this opinion? First and foremost, establish a policy for personal email use and make sure all your employees know about it. Tell them specifically that they should have no expectation of privacy in their use of email accounts accessed through the employer’s equipment, or even when accessed through the employee’s own device if that device is also used for business purposes. Better yet, play it safe and don’t access your employees’ personal email accounts, even if accessed from company computers, unless they have given express written permission to do so.