Congress works to keep the Act up-to-date

The 25th anniversary of Jorden Burt LLP nearly coincides with the twenty-sixth anniversary of the Electronic Communications Privacy Act (ECPA), which was signed into law on October 21, 1986. The ECPA was adopted to address, at the federal level, the legal privacy issues that evolved with the growing use of computers and other electronic communications by the general marketplace. Twenty-six years after its signing, the ECPA still has implications for financial institutions in the areas of employee email monitoring and government investigations.

The ECPA generally prohibits the unauthorized interception or retrieval of electronic communications while in transit, or when in storage. However, as the Third Circuit discussed in Fraser v. Nationwide Mutual Insurance Co. (2003), the ECPA does not prohibit an employer from retrieving employee emails that are stored on employer-provided systems.

Under a portion of the ECPA known as the Stored Communications Act (SCA), governmental entities, pursuant to an administrative subpoena or court order, may require third-party “provider[s] of electronic communication service[s]” to disclose the contents of electronic communications that have been in “electronic storage in an electronic communications system” for more than 180 days to the government entity, with delayed notice (up to 180 days after issuance of the court order) to the consumer under certain circumstances. Disclosure of electronic communications that have been in storage for 180 days or less requires a search warrant. Accordingly, financial institutions that both utilize a third-party provider of electronic communication services and have document retention policies that do not require deletion of emails prior to the emails turning 180-days old face an increased risk of their electronic communications being accessed by the government without the institutions’ knowledge.

Recently, the Senate Judiciary Committee unanimously approved a bill that would require a search warrant to obtain electronic communications stored with “provider[s] of electronic communication service[s].” This effort may be in response to ECPA critics who state the SCA portion of the ECPA is outdated. These critics argue that the current 180-days standard no longer accurately reflects the realities of the 2012 marketplace, where the ubiquitous use of email and the ready availability of free third-party email storage, differ significantly from the 1986 marketplace, where a minimal amount of emails older than 180-days existed.