Privacy & Cybersecurity Law Blog

On June 5, 2013, the United States District Court for the Northern District of Ohio denied an employer’s motion to dismiss, holding that the Stored Communications Act (“SCA”) can apply when an employer reads a former employee’s personal emails on a company-issued mobile device that was returned when the employment relationship terminated. The defendants, Verizon Wireless (“Verizon”) and the manager who allegedly read the plaintiff’s emails, argued that the SCA applies only to computer hacking scenarios, and that the plaintiff authorized the reading of her personal emails. The court rejected both of the arguments, finding:

• the SCA was primarily, but not exclusively, designed to provide a cause of action against computer hackers, and thus may apply in other contexts; and
• an employee’s negligent failure to ensure that her personal email account was deleted from a company-issued mobile device does not constitute consent to the employer using the account to read her emails.

In this case, Verizon told the plaintiff that she could use the company-issued mobile device for personal email at the time it issued her the device. When the plaintiff returned the mobile device at the end of the employment relationship, she stated that she had attempted to (and believed she had) deleted her personal Gmail account from the company-issued device. Almost two years later, the plaintiff filed suit against Verizon and her former manager, alleging that the manager accessed close to 50,000 emails in the plaintiff’s personal email account during the 18 months after the plaintiff returned the device.

In rejecting the defendants’ contention that the SCA does not apply to this scenario, the court cited prior case law stating that the SCA more generally prohibits a trespasser from gaining access to information that the trespasser is not authorized to access. The SCA may have been aimed at computer hackers, but computer hackers were not the sole target. The court did state, however, that the SCA only prohibits accessing (1) the employee’s emails that have been received, but not yet opened by the employee and (2) emails that are in storage for “backup protection” purposes, which the court distinguished from emails that are merely stored in the account. That is, the SCA does not prevent Verizon from accessing emails that the employee had previously opened. The court concluded that due to the volume of emails and the length of time at issue, it could “draw a fair and plausible inference that [the manager] opened some of the emails before [the] plaintiff did.”

In rejecting the defendants’ contention that the plaintiff implicitly consented to the reading of her emails, the court held that the plaintiff’s negligence when attempting to delete her personal emails did not constitute approval for the defendants to read the personal emails. The court noted that finding implied consent would require the court to infer from the surrounding circumstances that the plaintiff knowingly agreed to allow access to her personal emails. Based on the information presented in the motion to dismiss, the court could not draw that inference.