Film reels abound with examples of employees-turned-detectives using documents taken from their employer’s files to bring wrongdoing to light. You may have your own favorites but here are mine (with titles hidden in footnotes so as not to spoil your fun):
An up-and-coming agent uses a flash drive hidden in her coffee mug to smuggle data belonging to her employer out of a high-security facility.
An operative frantically searches through his boss’s computer files to print out communications showing his boss has been lying to their stakeholders, all the while attempting to distract his boss on the phone with an offer to go play tennis.
A cloak-and-dagger duo steal documents from their employer and provide falsified versions to a fellow employee to thwart their employer’s effort to corner the market on orange juice commodities.
What Happens After the Director Yells Cut?
While these film characters entertain, their conduct could have serious consequences for both employee and employer after the cameras turn off. That is because of the Stored Communications Act (“SCA”).
The SCA, a criminal statute (18 U.S.C. §§ 2701, et seq.), prohibits accessing an electronic communication service facility (which can include employer e-mail services) and obtaining electronic communications where the individual either lacks authorization for the access or exceeds the authorization they have been provided. It also provides for a civil cause of action against the violating party.
Responding to an employee’s allegations of corporate crime—particularly where the employee has “investigated” on their own and may have violated the SCA in the process—requires expert navigation by the employer. The employee may have simply been trying to comply with an employer’s policy requiring a good faith basis for reporting wrongdoing, but the line between “developing a good faith basis” and violating the SCA can be a blurry one.
As recent decisions show, the best solution is to address the issue beforehand through clear policies and good training. Because legal battles under the SCA often hinge on whether the employee was “authorized” to access the communications at issue, employers should define who is authorized to access company e-mails when writing both their computer and internet policies and their reporting policies.
Write Your Own Screenplay: Adaption or Original?
A case recently decided by the 11th Circuit Court of Appeals, Brown Jordan International, Inc., et al. v. Carmicle, — F.3d —-, 2017 WL 359651 (11th Cir. Jan. 25, 2017), reveals the difficulties often facing employers when an employee accesses another’s e-mail. There, Carmicle – the president of two subsidiaries – began accessing other executives’ e-mail accounts using a generic password provided by the employer’s chief information officer. Upon finding what he believed to be evidence of a fraudulent scheme to deceive investors, he brought the information to the company’s attention. The company investigated but, after discovering how Carmicle had accessed the information, terminated him for cause and successfully sued him for violations of the SCA (which was affirmed on appeal to the 11th Circuit).
Seeing this litigation, employers ponder whether to make sequels or write afresh. Let’s call this the Best Adapted Screenplay method. No matter the direction you choose to go with your script, it is critical to investigate the alleged wrongdoing reported and to do so completely independent of the outcome of making any SCA claim. Failure to investigate a charge of serious wrongdoing merely because it was reported following a potential violation of the SCA could expose the company to lawsuits (by the discharged employee, shareholders, or governmental authorities that may still try to use the information procured in violation of the SCA). Investigations, however, will invariably reach a fork in the road.
- On the first path, you discipline the investigating employee for violations of the SCA. In that case, the employee will almost surely pursue a retaliatory discharge claim for reporting the violations (as occurred in Brown Jordan) and whether they are successful will boil down to whether their reports were protected activity and, if so, whether the violations of federal law were cause for the discharge independent of the report.
- On the second path, you elect not to discipline the reporting employee. That may encourage employees to act as vigilantes seeking to bring coworkers to justice or set a difficult precedent for future violations. It may also open the door to a suit for violation of the SCA by the purported bad actors, although – so far – courts have shut down the theory of “secondary liability” for violations of the SCA. Vista Marketing, LLC v. Burkett, 999 F. Supp. 2d 1294, 1296-97 (M.D. Fla. 2014) (citing other similar decisions). In addition, Shefts v. Petrakis, 2012 WL 4049509, at *6-7 (C.D. Ill. Sept. 13, 2012), indicated that it may be possible to “authorize” such an investigation after the fact.
The pitfalls on each path illustrate the importance of well written policies when it comes to employee investigations and SCA compliance. Let’s call this the Best Original Screenplay method: you write the policies in a way that leads your employees down the appropriate path, attempting to avoid the pitfalls entirely.
E-mail and computer usage policies should be narrow and unambiguous in delineating who can authorize access to e-mail accounts. The policy in Brown Jordan provided that access was controlled by “senior management” and also required a legitimate company purpose and permission of “corporate senior management.” Could it be improved with 20-20 hindsight from the best film critics or test audiences?
Had it stated that only the head of the parent company’s legal or compliance department can authorize access to other employees’ e-mail accounts, it might have dissuaded Carmicle from unilaterally conducting his own investigation. Even if it didn’t alter Carmicle’s approach, such a specific policy would make short work of Carmicle’s argument that he was “authorized” under the SCA.
It is equally important to address separately in policies on compliance what is expected from employees in reporting misconduct. For instance, the conventional wisdom has been to use a policy statement that informs employees of their obligation to report wrongdoing and the protections afforded them for making such reports in good faith. Given the SCA issues, a better policy should go on to inform employees that their role is to report rather than to become vigilante investigators and to emphasize the need to honor all computer and e-mail usage policies and applicable privacy laws.
With movie scenes influencing popular culture, better policies may not totally dissuade employees becoming ultra vires investigators/detectives. But, better policies will ensure that your movie has a happy ending.