Snooping Supervisor Created Liability for Employer
What would you think if you found out your supervisor continued to read your personal emails on your company-issued smartphone - after you resigned? That’s precisely what plaintiff alleged happened in Lazette v. Kulmatycki, et al., a case being litigated in the United States District Court for the Northern District of Ohio.
Plaintiff formerly worked for Verizon where she received a company-issued Blackberry. She was permitted to receive personal emails on the device. She thought that she had deleted her gmail account from the phone when she terminated employment, but had not effectively done so. Unbeknownst to plaintiff, her supervisor surreptitiously read the contents of her personal email about plaintiff’s family, career, financials, health, and other personal matters. Plaintiff alleged that her supervisor read approximately 48,000 emails without her authorization over an eighteen month period after the plaintiff terminated her employment. Plaintiff also alleged that he disclosed to coworkers the contents of some of those emails. Plaintiff filed suit claiming violation of the Stored Communications Act, among other claims, and defendants moved to dismiss.
The SCA is not “Exclusively” for Hackers
The court found unpersuasive defendants’ argument that Congress intended the SCA to reach computer hackers only, not someone who reads another person’s email without his or her knowledge. The court conceded that prior case law holds that the SCA is primarily designed to provide a cause of action against computer hackers, but distinguishes “primarily” from “exclusively” to find that the SCA applied to defendants.
No Authority to Access Plaintiff’s Emails
The court found that the mere fact that the supervisor used a company-owned blackberry to access the plaintiff’s email did not mean that he acted with authorization to do so. The court distinguished the cases cited by defendants, including one case involving the use of a shared computer. The court noted that there was no “shared use” because she no longer had access to the phone after she terminated. Moreover, the court rejected the defendants’’ argument that there was no password misuse in this case and therefore no violation of the SCA. The court found there was nothing in the statute to suggest that password misuse is required to establish a violation.
Smart Phone not a “Facility”
Defendants furthered argued that the conduct was lawful under the SCA because the blackberry was a “facility” that he was authorization to access. The court rejected that argument writing that “a personal computer, and, ergo, a blackberry or cell phone, is not a ‘facility’” within the meaning of the Act. The court looked to cases in other courts that agree that devices used to access electronic communications are not “facilities.” Therefore, the court found that the gmail server, not the blackberry, was the “facility.”
Negligence is not Implicit Authorization
Plaintiff believed she had deleted her gmail account from her phone before she left Verizon, but failed to effectively do so. The court rejected the defendants’ argument that her negligence left the email door open for the supervisor to nose around. First, it was of no consequence that the supervisor did not take any affirmative steps to cause the device to receive the email. Second, the court found that her negligence was not the “same as approval, much less authorization.” The court found that plaintiff had not consented to the supervisor’s access of her email.
No Liability for Opened Emails
Defendants prevailed on the singular issue of whether there plaintiff could recover based upon her claim that the supervisor violated the SCA when he accessed previously opened but undeleted mails. Such emails were not in “backup status” or “electronic storage” as the SCA uses those terms. efendants successfully argued that only unopened emails were within the definition of “electronic storage.” With respect to the emails opened for the first time by her supervisor, the court found that plaintiff’s failure to specify which of the 48,000 emails were unopened was not a failure of the Twombly/Iqbal test. The court was willing to draw a plausible inference that the supervisor opened some of the emails first because of the sheer volume of emails at issue. Thus, the court overruled defendants’ dismissal in toto, but granted it with respect to the opened emails.
Verizon Vicariously Liable
Defendants admitted that the supervisor was acting within the scope of his employment at in furtherance of Verizon’s interests when he accessed plaintiff’s emails. However, Verizon attempted to escape liability based upon the exemption under the SCA for providers of electronic communications. Defendants contended that the complaint did not make clear whether the gmail account was separate from plaintiff’s Verizon work account, therefore creating the possibility that Verizon was an electronic communication provider. The court rejected this argument noting that defendants failed to challenge plaintiff’s actual theory of vicarious liability. The court denied defendants’ motion to dismiss Verizon.
While this case deals with actions by the supervisor after the employee had terminated, it serves as a reminder that employers should be cautious when accessing employees’ personal email or data on a company-issued electronic devices. Employers should obtain consent prior to giving employees company-issued electronic devices that may be used for personal communication and storage. Employers should also have electronic communications and company equipment policies that put employees on notice that the employer may access information contained on those devices during employees’ employment and reminding employees that the device remains company property at all times.