January 23, 2011
Ex-Employees Awarded $4,000 for Email Snooping by Employer -- Pure Power Boot Camp v. Warrior Fitness Boot Camp
[Post by Venkat Balasubramani]
Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 08-civ-4810 (S.D.N.Y.; Dec. 22, 2010)
Email snooping and computer fraud statutes (Stored Communications Act; Computer Fraud and Abuse Act) are starting to play a starring role in litigation between departing employees and their former bosses. Plaintiffs asserting claims under these statutes often press tenuous claims, with evidence for damages that are weak at best. There are often unclean hands all around, and the disputes end up just being messy.
One such dispute is Pure Power Boot Camp v. Warrior Fitness Boot Camp. As the court describes it, Lauren Brenner, the owner of Pure Power hired Alex Fell and Ruben Belliard to work as "drill instructors" at her gym (which was "designed to replicate as closely as possible the experience of training at a military boot camp"). Fell was fired and Belliard quit, but before they left, they made plans to open a competing fitness facility in town. Fell and Belliard alleged that after they left, Brenner, or someone on her behalf, accessed and printed emails from Fell's Hotmail, Gmail, and Warrior Fitness Boot Camp accounts. The emails yielded a bounty of information about Fell's and Belliard's efforts while still at Pure Power to open a competing gym. Brenner denied that she ever accessed the emails or directed anyone to, and in any event, alleged that the emails were accessible because Fell left his username and password stored in Pure Power's computers.
The lawsuit had numerous procedural twists and turns. Brenner and her company sued in state court to enforce a non-compete after gathering the email evidence. The state court determined that the non-compete was unenforceable, and allowed Fell and Belliard to open their competing fitness center. (This was probably a good time to consider settling the dispute and not sinking more resources into it.) Fell and Belliard then removed the lawsuit to federal court and asserted claims based on Brenner's improper access of the emails. Fell and Belliard also sought a preclusion order, prohibiting Brenner from using any of the improperly obtained emails in the proceeding. The court agreed with defendants and issued an order requiring Brenner to return all emails or materials obtained "outside normal discovery procedures." The court also precludes Brenner from using any of those emails in the underlying lawsuit. In that order, the court found that the access of the emails violated the Stored Communications Act, but did not violate the ECPA. Defendants brought a motion for summary judgment on their SCA and ECPA claims.
Stored Communications Act Claims: With respect to the Stored Communications Act claim, the court held that the court's earlier preclusion order established the law of the case that the access of the accounts violated the SCA. Both sides tried to argue as to whether the preclusion order conclusively established Brenner's personal liability, but the court left that issue for another day, finding that there was a factual dispute as to whether Brenner herself accessed the emails or directed someone else to do go. However, interestingly, the court held that defendants failed to show any actual damages for the Stored Communications Act violations. Brenner argued (citing to Van Alstyne v. Elect Scritporium) that in the absence of actual damages, defendants could not recover any damages at all, but the court rejects this, finding that regardless of whether defendants put forth any evidence of actual damages, they are entitled to statutory damages. (See Tom O'Toole's blog post on Van Alstyne.)
However, the victory turns out to be a pyhrric one for defendants (on the damages front), as the court holds that defendants are only entitled to damages per instances of access (and not per email) and awards defendants the disappointing amount of $4,000. The court noted mixed authority on the issue of whether damages were appropriately awarded per email accessed or based on each instance of unauthorized access. Ultimately, the court noted that there was no evidence as to how many times the email facilities were accessed during a relatively short time period that was at issue (nine days), and the court aggregated the intrusions with respect to each individual account. The court also defers ruling on defendants' request for fees and punitive damages, finding that those questions were better suited for the jury.
ECPA Claims: The ECPA provides a civil cause of action against those who "intercept" electronic communications. The court rejects defendants' claims under the ECPA on the basis that the messages were accessed after they were delivered to defendants' accounts. The court had rejected defendants claims in its ruling on the preclusion order, and apart from arguing that the time period between delivery and access by plaintiff was "shorter than defendants had initially believed," defendants did not offer any new evidence that the interception occurred before delivery (or contemporaneous with delivery).
I'm not sure what to make of this case, except to say that unless there's a policy in place that clearly authorizes email monitoring, it's a minefield to access someone else's email, whether that's in the employment context or in the family law/divorce context.
Even when there's a policy in place, there's some risk that the policy may not clearly express consent for monitoring, as was almost the case in another email snooping case from Illinois. (See Shefts v. Petrakis, 10-cv-1104 (C.D. Ill.; Dec. 9, 2010).) In Petrakis, there was a policy which said that the company would monitor emails, but there was some dispute as to whether it applied to plaintiff, who was a director and shareholder, rather than an employee. There was also conflicting language in the policy that said that employees would not monitor one another's email absent express board approval. Although the employee who brought the ECPA and SCA claims made a valiant attempt to inject ambiguity into the language of the policy, the court ultimately saw things the employer's way.
You would potentially expect some sympathy from the court since in many of these cases, the monitoring results in the employer getting access to highly relevant evidence that often points to misconduct or a breach of policy (or a contractual duty) on the part of the employee, but this does not seem to be the case. Here I guess the court expressed some sympathy in the form of the small damage award given to the employees, but the employer took an even bigger hit - the court's previous order precluded the employer from using this evidence. When you consider that the information the employer accessed was information that could have been obtained through discovery (from the ex-employees), the decision to access the emails here turned out to be pretty costly.
Posted by Venkat at January 23, 2011 08:17 PM | Privacy/Security