Under the Stored Communications Act (“SCA”), 18 U.S.C. § 2701, whoever:

(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

(2) intentionally exceeds an authorization to access that facility;

and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section.

And the SCA provides a civil cause of action for violations of Section 2701. 18 U.S.C. § 2707(a) (any “other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity… engaged in that violation such relief as may be appropriate.”); Van Alstyne v. Elec. Scriptorium, Ltd., 50 F.3d 199, 204 (4th Cir. 2009).

Thus, a civil lawsuit may be filed against one who intentionally, and without authorization, accessed your emails in violation of the SCA.

The statute of limitations for the SCA is two years. 18 U.S.C. § 1030(g).

Accessing a Web-Based Host for Emails

In Carson v. EmergencyMD, LLC , No. 22-1139 (4th Cir. Feb. 9, 2023) (unpublished), Carson alleged that her former employer, EmergencyMD, violated the SCA when it accessed her private emails and then used those emails in litigation as evidence to show that Carson planned to recruit its employees and use its trade secrets to unfairly compete against EmergencyMD. For her SCA claim, Carson needed to show that EmergencyMD intentionally accessed Carson's private emails, and did so without authorization.

Intentionally Accessed?

The emails were from Carson's private Gmail account. Her Gmail inbox page, however, was left open in the web browser on her work computer for EmergencyMD. The initial discovery of Carson's open and accessible Gmail account on EmergencyMD's computer was not a problem. There was no evidence of any intent to access the emails in the initial discovery of the open Gmail webpage.

But after that initial discovery, someone reviewed and printed emails showing Carson's interactions with a competing company, which were later used in litigation. So, the question that remains is whether the unintentional initial discovery of Carson's emails shields the subsequent decision to review and print certain emails from liability under the Act.

Here, the Court found that “the evidence of the defendants' conduct after the initial discovery that Carson's account was open creates a question of fact as to whether the defendants intentionally accessed Carson's emails.”

Without Authorization?

Next, was there a triable issue of fact with respect to whether Carson's emails had been accessed without authorization?

First, EmergencyMD argued that Carson authorized EmergencyMD to obtain and disclose the emails leaving her Gmail account open on the shared computer she used at EmergencyMD. The Court held that the SCA did not define the term “authorization”; but that term is commonly understood to involve knowing, intentional action.

Unintentionally failing to log out of a computer seems at odds with the meaning of authorization. Perhaps it was careless. But did it authorize EmergencyMD to review her private emails? There is at least a question of fact on this issue.

Second, EmergencyMD argued that Carson gave authorization when she agreed to its Electronic Communication Policy, which was as follows:

All information created, sent, received, or stored on the company's electronic resources is company property. Such information is not the private property of any employee and employees should have no expectation of privacy in the use or contents of the company's electronic resources. Passwords do not confer any right of privacy upon any employee of the company. Employees should understand that the company may monitor the usage of its electronic resources and may access, review, and disclose information stored on its electronic resources, including messages, personal e-mail communications sent and received on the employer's computers but using private email accounts, and other data, at any time, with or without advance notice to the user or the user's consent.

The Court noted that Carson's emails had been accessed by EmergencyMD after her employment there had been terminated. And there was no basis in the policy to suggest that an employee's use of the company's shared computer to access her Gmail account for work purposes authorized EmergencyMD to access and use emails created on that private Gmail account after the employee has been terminated.

            And even for emails sent or received while Carson was still employed at EmergencyMD, the Policy allowed it to access, review and disclose electronic information sent and received on the employer's computers. But the record does not establish that Carson's emails at issue here were created or sent on EmergencyMD's computers. . . . Perhaps data from the emails or some other information will reveal whether Carson sent or received the emails from EmergencyMD's computers. But we cannot tell that from the record before us.

            Also, the Policy allows EmergencyMD to access and disclose personal electronic information stored on its electronic resources. But emails from a Gmail account are not stored on EmergencyMD's electronic resources. Gmail uses a web-based host for emails. Hately v. Watts, 917 F.3d 770, 773 (4th Cir. 2019). Google hosts and stores all emails so that an account holder can access the copies if they are not deleted by the user. See id. at 773, n. 1 (noting that when emails are stored using a web-based server, like the Google cloud system, then the user's “computer or mobile device merely serves as a conduit to access the [host's] server.”). Using EmergencyMD computers to access electronic communications stored on a cloud storage system is not the same as storing electronic communications on EmergencyMD's electronic resources.

The Court found “there is at least a question of fact as to whether what Carson agreed to under EmergencyMD's Policy applies to the emails on her private Gmail account, even if she used that account in doing her job.”

The Court further noted that EmergencyMD could have sought production of the emails as part of discovery in the separate trade secret litigation. “But there is at least a question of fact as to whether the defendants ignored those options and took steps prohibited by the Stored Communications Act.”

Thomas P. Howard, LLC litigates nationwide including in Colorado.