Wrongfully accessing someone’s personal email account may cost you $1,000 per unauthorized access, even if that person suffers no injury or loss. In Pure Power Boot Camp v. Warrior Fitness Boot Camp, 2010 WL 5222128 (S.D.N.Y. 2010), a New York district court permitted the recovery of statutory damages under the Stored Communications Act (SCA) (18 U.S.C. § 2707(a)) without proof of actual damages sustained.
Lauren Brenner allegedly hired former U.S. Marines Ruben Belliard and Alex Fell to work as “drill instructors” at her Pure Power Boot Camp physical fitness center. While still employed at Pure Power, Belliard and Fell allegedly made plans to open a competing boot camp style physical fitness center. Belliard and Fell left Pure Power, and shortly thereafter opened Warrior Fitness Boot Camp.
Fell alleged that after he left, Benner, or someone from Pure Power, accessed his personal e-mail account and printed e-mails from his personal Gmail, Hotmail, and Warrior Fitness accounts. Fell had left his username and password information saved on Pure Power computers, which allowed access to his email accounts. The emails revealed that Belliard and Fell allegedly copied Pure Power documents, stole Pure Power customers, and shredded their non-compete agreement.
Benner allegedly read these emails and Pure Power Boot Camp brought claims against Belliard and Fell, which included claims for breach of their non-compete agreements and theft of Pure Power’s business model, customers, and documents.
Fell counterclaimed against several parties, including Brenner and Pure Power, alleging that the unauthorized access of Fell’s account violated the SCA and entitled him to statutory and punitive damages, as well as attorneys’ fees.
A significant issue in this case was whether Fell could recover statutory damages under the SCA, even though he failed to allege or prove actual damages. In fact, Fell confirmed in his deposition that he sought only statutory and punitive damages.
On summary judgment, the court held that proof of actual damages is not required to recover under the SCA. The interesting aspect of this case was the court’s departure from the holding in Van Alstyne v. Elec. Scriptorium, Ltd.,560 F.3d 199 (4th Cir. 2009), the only federal appellate decision to analyze this issue. Van Alstyne required proof of actual damages in order to recover the $1,000 statutory damages under SCA. Van Alstyne based its decision on Doe v. Chao, 540 U.S. 614 (2004), where the Supreme Court required proof of actual damages for recovery under the Privacy Act. However, the Pure Power court criticized Van Alstyne’s analysis because the SCA and Privacy Act have different purposes, language construction, and legislative histories.
Indeed, according to the court, an overwhelming majority of jurisdictions decided after Doe permit recovery of statutory damages under the SCA absent actual damages. This has been applied to unauthorized access of employee’s email accounts (Cedar Hill Assocs., Inc. v. Paget, No. 04cv0557, 2005 WL 3430562 (N.D. Ill. 2005)), restricted websites (In re Hawaiian Airlines, Inc., 355 B.R. 225 (D.Haw. 2006)), and social media accounts (Pietrylo v. Hillstone Restaurant Group, No. 06-5754, 2009 WL 3128420 (D.N.J. 2009)).
The court, however, rejected Fell’s argument that each e-mail that was accessed constituted a separate $1000 violation under the SCA. The court found that, because the period over which the emails were accessed was relatively short (a nine day period), and because there was no evidence indicating the specific number of times each account was accessed, it was appropriate to aggregate the intrusions with respect to each individual e-mail account and find that there had been four independent violations of the SCA --one violation for each unauthorized access of an electronic communications facility, which allowed access to electronic communications while still in electronic storage. The court also rejected Fell’s request for punitive damages at this stage in the proceedings because the court was unable to determine as a matter of law which party accessed the email accounts, and the surrounding circumstances, and therefore, there was no basis upon which to decide whether punitive damages were appropriate. The court also rejected Fell’s request for attorneys’ fees as premature because the court was presently unable to determine which of the parties named in the counterclaim was liable for the four violations of the SCA.
The Pure Power court’s affirmation of some employee privacy rights and the removal of the actual damages hurdle to a SCA claim have several implications for employers and management. First, increased attention must be given when dealing with employee personal e-mail and social network accounts. The decision does not impair the ability to monitor employee web activity or work provided email accounts, provided that the employer has clear policies articulating that employees have no expectation of privacy. However, extra care must be given to employee personal accounts, particularly when the employee saves login information on the computer and the login information is used to access the employee’s personal accounts. Employers should not engage in such conduct.
In Pure Power, the access of Fell’s email accounts created a cause of action to recover statutory damages for Fell, where the employer may have a solid non-compete/unfair competition suit against the employee. Perhaps more detrimental to employer Pure Power Boot Camp, the court also excluded the highly relevant emails demonstrating alleged employee disloyalty from evidence. Finally, the ability to recover statutory damages without proof of actual damages, as well as punitive damages and attorney fees, may provide an incentive for employees and their counsel to pursue SCA claims against current and former employers.