Proving Unauthorized Access to Private Data Under the SCA

Hackers aren’t the only ones who can gain unauthorized access to your private data. Maybe you shared a password with your spouse, then got divorced and forgot to change it. Maybe you neglected to lock your phone and a passerby was able to pick it up and view your bank-account balances. There are innumerable ways in which your personal files can be exposed to someone you never intended to share them with. Revenge porn laws offer some protection when the files consist of sexually explicit selfies, but when the files at issue consist of mundane (but nevertheless private) emails or texts, the federal Stored Communications Act (“SCA”) often comes into play. The SCA establishes a criminal offense for whoever “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a). The SCA also creates a civil cause of action, in which the plaintiff may obtain damages plus reasonable attorneys’ fees and other costs. 18 U.S.C. § 2707(b).

Many of us store all kinds of files in “the cloud” that we do not intend to share with the world: financial documents, proprietary information, trade secrets, personal notes–the list is endless. Suppose a former colleague intentionally accesses your Apple iCloud account–or your Dropbox account–or your Gmail account–without your knowledge or permission, finds your stuff and downloads copies. In many cases, this kind of behavior would create a right of action under the SCA. But the law contains a number of requirements that may or may not apply in your particular situation, and proof is often hard to come by.

First of all, the SCA only applies to files that are in “electronic storage” in certain computer systems. The definition of “electronic storage,” like everything else about the SCA, is long and convoluted. (Note that the law was written in 1986, long before any of us had ever heard of the Internet, let alone cloud storage.) Suffice it to say that the SCA doesn’t generally apply to files stored on your phone. Rather, the law is geared more towards the protection of communication stored in online accounts. The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” (See 18 U.S.C. § 2510(17)). And the files must be stored in “a facility through which an electronic communication service is provided,” not just any computer system. (See Freedom Banc Mortg. Servs., Inc. v. O’Harra, No. 2:11-CV-01073, 2012 WL 3862209 at *9 (S.D. Ohio Sept. 5, unlocked_computer-300x1962012) (holding that “the relevant ‘facilities’ that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic storage”)). Thus, to implicate the SCA, you’re probably going to need to show that someone gained unauthorized access to your backup files you were storing in the cloud.

Even if you can show that someone obtained copies of your private data from the cloud, keep in mind you’re also going to need to prove that person obtained the files intentionally and without authorization. Technology is changing all the time. To prove an SCA claim, you’re going to need to know exactly how the files were obtained, which can be a challenge. What if you’re checking your Gmail at a Starbucks and leave your laptop visible while you go to the counter for another latte? If someone glances over and sees a private email, would that be a violation of the SCA? Or what if you forget to log out of your iCloud account on a company-owned phone when you turn it in at the end of your employment? In Sunbelt Rentals, Inc. v. Victor, 43 F. Supp. 3d 1026 (N.D. Cal. 2014), the court dismissed an SCA claim when a former employee forgot to log out of his Apple account and his former employer was able to read text messages as a result. The access might not have been authorized, but it also might not have been intentional, as the text messages were pushed to the device with no apparent action by the employer.

Or what if someone logged in to your account using a password that you voluntarily shared years ago but forgot about? If you essentially handed another person the keys to your private data, did you waive your ability to pursue an SCA claim? The key is to remember that the SCA imposes liability where electronic files are accessed “without authorization,” regardless of whether the plaintiff may have inadvertently enabled the wrongful conduct. The facts of Lazette v. Kulmatycki, 949 F. Supp. 2d 748 (N.D. Ohio 2013) demonstrate this point.

In Lazette, a Verizon Wireless employee was issued a Blackberry smartphone and told she was welcome to use it to access her personal email. During her employment, she used the company-issued phone to access her personal Google Gmail account. At the end of her employment, she turned in the phone, but forgot to log out of her personal Gmail account, inadvertently enabling her former employer to log in to her Gmail account and view its contents. She alleged in her complaint that her former supervisor read thousands of her private email messages on the device without her knowledge or authorization, and that this conduct violated the SCA. The court agreed with her and denied (in material part) the employer’s motion to dismiss.

The defendants in Lazette made several arguments, such as that the phone was not a “facility,” that the SCA is designed to apply only to “high tech” criminals such as computer hackers, and that accessing the files in question was implicitly authorized by the plaintiff’s negligence in failing to log out of her personal account. The court rejected these arguments one by one. With respect to the “implied authorization” argument, the court observed, “[D]efendants, in effect, contend that plaintiff’s negligence left her e-mail door open for [her former supervisor] to enter and roam around in for as long and as much as he desired.” The court held that the plaintiff’s failure to log out of her Gmail account did not give her employer the right to go rummaging through her private communications:

This is an unacceptable reading of § 2701(a)(1), which prohibits “access without authorization”…. Negligence is…not the same as approval, much less authorization. There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone [will] be stopping by. Whether viewed through the lens of negligence or even of implied consent, there is no merit to defendants’ attempt to shift the focus from [the employer]’s actions to plaintiff’s passive and ignorant failure to make certain that the blackberry could not access her future e-mail.

Understanding the technology used to access the files is important because while a cell phone itself is not considered a “facility” within the meaning of the SCA, several courts have held that when a phone is used to access emails that are stored on a web-based system such as Gmail or Yahoo, the SCA is implicated. In Hoofnagle v. Smyth-Wythe Airport Comm’n, No. 1:15CV00008, 2016 WL 3014702 (W.D. Va. May 24, 2016), the court held that unauthorized access to the plaintiff’s private Yahoo! web-based email account would be a violation of the SCA and, accordingly, denied the defendants’ motion for summary judgment. The court found that emails residing in Yahoo!’s servers qualified as “electronic storage” under 18 U.S.C. § 2510 (17).

In short, for purposes of evaluating SCA liability, the pertinent “facility” through which an electronic communication service is provided is the web-based server on which the files are stored (not the phone or other device used to access the server), and photographs and other communications stored on such servers for backup protection are in “electronic storage” within the meaning of the statute. (If the files are stored in the cloud for purposes other than backup protection, the analysis gets more complicated, and is beyond the scope of this blog.) If your personal data has been compromised, you may have grounds for legal action.

Contact Us
Virginia: (703) 722-0588
Washington, D.C.: (202) 449-8555
Contact Information