Supervisor’s Post-Termination Access of Employee’s Gmail Account May Violate ECPA – Lazette v. Kulmatycki
[Post by Venkat Balasubramani]
She had configured her Blackberry to access her personal Gmail account (without having to enter the password). When she returned the Blackberry, she believed she deleted the Gmail account, but apparently she hadn’t. In the 18 months following her termination of employment (and return of the Blackberry), she alleged that her supervisor read some 48,000 messages and disclosed the contents of some of these messages to third parties.
Stored Communications Act claim: Defendants argued that (1) the supervisor did not access a “facility” as the statute uses the term, or alternatively accessed a facility (the Blackberry itself) that defendants were authorized to access, and (2) the access was implicitly authorized, because it was effected through a company-owned device and Lazette granted implicit consent by not deleting the account.
The court disagrees with defendants’ argument that the Blackberry itself is a facility. It says the Gmail server, not the Blackberry, was the facility.
The court also says that there’s no implicit authorization. This is not the situation where there’s a shared computer (in some such instances, courts have found implied consent to access accounts that are accessible via the shared computer). The court also squarely rejects defendants’ argument that Lazette’s failure to delete the account before returning the Blackberry amounted to some sort of implied access.
Finally, the court addresses the issue of whether the emails were in “storage” as defined under the SCA. The court discusses the various different types of emails defendants could have accessed (not yet received, received but unopened, received but opened) and says that, of the 48,000 emails defendants improperly accessed, at least some of those were accessed by defendants before Lazette did. In those instances at least, there was a Stored Communications Act violation.
Verizon’s vicarious liability: Verizon argued that it should not be held liable because it falls under the SCA’s exemption for “providers” (since it provided the device). Verizon also argued that Lazette was unclear as to whether her Gmail account was separate from her work-provided email account. The court says this argument requires a look outside the four corners of the complaint. Finding that this is an affirmative defense, the court says it’s not an appropriate basis to dismiss Verizon at this stage.
No interception liability: Lazette also brought a claim for interception of her emails, but the court rejects this claim, finding that by the time defendants accessed the messages, they would have been delivered. The court distinguishes Szymuszkiewicz, a Seventh Circuit case, on the basis that there, due to a forwarding rule put in place, the person intercepting and the intended (rightful) recipient each accessed messages within “no more than an eyeblink.”
State law claims: The court also declines to dismiss plaintiff’s state law claims. Defendants again tried to rely on the fact that plaintiff should have been on notice to argue that she could not satisfy the reasonable expectation of privacy. The court says it cannot rely on any warnings contained in a handbook at the pleading stage, and in any event, courts employ a totality of circumstances analysis:
With regard to what one might expect form a warning of the possibility of occasional, random monitoring is one thing, total absorption is another.
The court also declines to dismiss her claim under a restitution statute, which relied on a state law hacking violation. Finally, with respect to her IIED claim, the court says that plaintiff fails to allege psychological injury or “severe mental anguish.” However, the court grants leave to re-plead these elements.
This is a mess, but nevertheless it’s a great case that highlights how out of touch the SCA definitions are with changes that have occurred since the statute’s enactment. Application of the SCA to webmail accounts is something courts have struggled with; a web mail account that you can configure to access through a smartphone throws another wrench into the mix. As always, SCA cases make my head hurt, and this one is no exception.
Verizon’s inability to escape liability for the SCA violation is interesting. It does not appear that it pressed the argument that the statute does not provide for derivative liability. There are several cases rejecting derivative liability for SCA violations. (The latest ruling in the long running Shefts v. Petrakis dispute rejects derivative liability for interception under ECPA.) Verizon may develop this defense down the road. Perhaps the admission that the supervisor was acting in the scope of his employment when he accessed the messages undermined this defense. On a related note, since the ECPA is an explicit exception to Section 230, Verizon did not have a viable Section 230 defense here, at least with respect to those claims.
The case also brings up the question of what people should do when they recycle or return their devices. Anything other than a totally wiped device stands the chance of being “explored” by an errant employee. When this occurs, the person who returned the device is not typically the one who gets blamed. (See also “RadioShack May Be Liable for Accessing Images from Recycled Customer Cellphone.” and “Employers Demanding the Right to Remotely Wipe Employees’ Phones?“) Nevertheless, from the standpoint of data hygiene, it behooves you to take extra steps to make sure not only that your device doesn’t have any data, but also that it does not have any passwords, accounts, or settings that can be used to access personal information.
A final question is what the effect of social media password laws would be in a case such as this. Since the employer accessed Lazette’s personal account without authorization, is that another possible cause of action for Lazette?