Earlier this month, a district court in Ohio issued an order in the case of Lazette v. Kulmatycki. The background fact pattern is pretty straightforward: plaintiff worked for Verizon (with Kulmatycki as her supervisor), and upon leaving that job, handed in her company Blackberry. 18 months later, she learned that her old boss had been using the device to read her personal emails – some 48,000 messages – on her Gmail account. Plaintiff also alleges that “Kulmatycki disclosed the contents of some of the e-mails to others.” Of the five claims brought by plaintiff in this proceeding, the one that interests us the most concerns the Stored Communications Act.
(a) Offense.–Except as provided in subsection (c) of this section whoever–
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system shall be punished…
The defendants had a series of arguments prepared as to why the case should be dismissed, so let’s look at those arguments one-by-one.
A. Defendants tried to argue that the SCA should not apply to them, as it was intended only for “high-tech” criminals, such as computer hackers. Unsurprisingly, the court did not buy this argument, noting the language of a Michigan case from the year 2000: “The provisions of section 2701 of the Act apply to persons or entities in general and prohibit intentional accessing of electronic data without authorization or in excess of authorization.”
B. Next, they argued that Kulmatycki was authorized to access plaintiff’s emails. A number of supporting reasons were provided for this one:
1) he used a company-owned blackberry;
The court didn’t find this persuasive at all, easily drawing a distinction between the instant facts and those of the cases that defendants cited. Those all involved the use of a shared computer, whereas here the use of the device was unilateral. “Indeed, when Kulmatycki accessed e-mail sent to plaintiff, she was not able to use the blackberry to do likewise.”
2) he did not access a “facility,” as the statute uses that term;
This is a little confusing – the defendants seem to be arguing that the blackberry, the device itself, was a facility, but the emails it accessed were not. The court disagreed, finding that “the “electronic communications service” resided in the g-mail server, not on the blackberry, and the g-mail server, not the blackberry, was the “facility.””
and 3) plaintiff authorized Kulmatycki’s access because she had: a) not expressly told him not to read her e-mails; and b) implicitly consented to his access by not deleting her g-mail account.
Plaintiff deleted her emails before returning the phone, but apparently had left the Gmail account open, and that’s what allowed Kulmatycki access. Defendants claimed that it was negligence from the plaintiff, and so they could not be held liable. The court finds this to be “an unacceptable reading of [the SCA], which prohibits “access without authorization[.]” Additionally, the court observes that:
Negligence is, however, not the same as approval, much less authorization. There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone be stopping by.
So, of course, no joy for defendants on this point either.
C. The next argument was also based on statutory language, and claimed that the “e-mails were not in electronic storage when Kulmatycki read them”. Now, we’ve written before about the complicated classification of storage in the context of email. This court’s analysis is equally confusing:
E-mails which an intended recipient has opened may, when not deleted, be “stored,” in common parlance. But in light of the restriction of “storage” in § 2510(17)(B) solely for “backup protection,” e-mails which the intended recipient has opened, but not deleted (and thus which remain available for later re-opening) are not being kept “for the purposes of backup protection.”
The court basically uses this to limit the emails in dispute to just those which Kulmatycki opened before plaintiff did.
D. Finally, co-defendant Verizon argued that it should be dismissed from the case, as under the SCA, the “person or entity providing a wire or electronic communications service” is exempt from punishment. For the sake this particular motion, the court disagrees – plaintiff has done enough to establish that Kulmatycki acted while within the scope of his employment, and so Verizon would have to rely on this affirmative defense further down the road.
Whew. Again, there were other non-SCA claims as well, and you can read about those in the opinion. If you’re an employer, hopefully this case has emphasized the dangers of having a BYOD policy, and the importance of thoroughly erasing all personal data from devices once they’re returned.