Many employers provide employees with smartphones to use in their jobs. Typically, employers permit employees to use these devices for personal reasons, such as communicating with friends and family through their private email accounts. Does an employer have the right to read these personal emails because they are sent and received through a company-owned smartphone? The answer, according to a federal court in Ohio, is clearly “no.”
In Lazette v. Kulmatycki, N.D.Ohio No. 3:12CV2416, (June 5, 2013), the employer, Verizon Wireless, provided a blackberry for the employee’s use. The employee was told that she could also use the company-issued phone for personal email. In September 2010, the employee left Verizon and returned the phone to her supervisor without deleting her personal Gmail account from the phone. She understood that Verizon would “recycle” the phone for use by another employee. Eighteen months later, the employee learned that her supervisor had been accessing her Gmail account and disclosing the contents of the emails he had accessed. The employee neither consented to nor authorized the supervisor’s secret reading of her personal emails. The employee changed her password once she learned of her supervisor’s actions. Before she did so, however, the supervisor had accessed 48,000 e-mails in the employee’s Gmail account. The emails included communications about the employee’s family, career, financials, health, and other personal matters.
The employee brought suit against Verizon and her supervisor, alleging violations of the Stored Communications Act. This statute prohibits intentionally accessing without authorization a “facility” (such as an email server) through which electronic communications are provided. Verizon moved to dismiss the complaint on the grounds that the supervisor had authority to access the employee’s Gmail account because the phone was a company-owned blackberry and the plaintiff had implicitly authorized his access.
The court rejected Verizon’s arguments and denied its motion to dismiss. The court held that the mere fact the supervisor used a company-owned blackberry to access the employee’s emails did not mean that he acted with authorization to do so. Further, the employee did not implicitly consent to the supervisor accessing her email when she returned her blackberry without having ensured that she deleted her Gmail account. The employee’s negligence in failing to delete her Gmail account did not amount to approval, much less authorization, to read her personal emails. The court analogized: “There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone [will] be stopping by.”
What lessons does this case teach employers? First, don’t read emails from employees’ personal email accounts without their consent. The simple fact that an employee is using a company-owned phone or computer to access his or her personal emails does not authorize the employer to read those emails. Second, develop a personnel policy that prohibits employees from reading personal electronic communications of their coworkers without consent. Make sure employees understand and follow this policy. Finally, have employees return their company-owned phones directly to the IT department rather than the employees’ supervisor, and ensure that any personal information regarding the employee is removed before the device is reissued.