When we think about the issues that employers have been struggling with relating to employee use of personal mobile devices for work, thoughts of data security, trade secret protection, record retention, and even FLSA compliance immediately come to mind – or at least my mind. But, I bet you wouldn’t anticipate what allegedly happened in Lazette v. Kulmatycki, a case decided by the federal court in the Northern District of Ohio on June 5, 2013. In Lazette, the plaintiff alleged that, after plaintiff left her employment, she returned her company-issued blackberry (which she used and refers to in her complaint as her "phone"), but did not have the phone wiped. The phone apparently ended up in the clutches of her former supervisor, who, during the ensuing 18 months, allegedly read without her knowledge or authorization 48,000 e-mails sent to her personal g-mail account. In addition, the plaintiff alleged that the supervisor disclosed the contents of some of the e-mails to others. Apparently among the contents of the accessed e-mails were communications about the plaintiff’s family, career, financials, health, and other personal matters. Amazingly, according to the decision, the plaintiff’s former employer, who also was sued, admitted that the supervisor was acting within the scope of his employment and in furtherance of the employer’s interests when he accessed plaintiff’s personal e-mails. The plaintiff filed a complaint raising five claims: 1) violation of the federal Stored Communications Act (SCA), 18 U.S.C. § 2701 et. seq.; 2) violation of Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (a/k/a the Wiretap Act), 18 U.S.C. § 2510 et seq; 3) Ohio common law invasion of privacy; 4) civil recovery for violation of Ohio Revised Code § 2913.04(B) (which is Ohio’s equivalent of the federal Computer Fraud and Abuse Act); and 5) Ohio common law intentional infliction of emotional distress. In response, the defendants filed a motion to dismiss all five counts.
Stored Communications Act
The defendants raised a number of arguments to argue that the SCA either did not apply or was not violated. First, they argued that the SCA did not prohibit accessing another’s emails without authorization, but the court concluded that the SCA was not intended by Congress to prohibit only computer hacking. The defendants then argued that they did not violate the Act. To violate the SCA, an individual must have gained unauthorized access (or gained access by exceeding the scope of authority) to a facility through which electronic communication services are provided and then accessed electronic communications while in storage. Defendants argued that the supervisor had (and apparently did not exceed) authority to access the plaintiff’s g-mail account because: 1) he used a company-owned blackberry to do so; 2) he did not access a "facility," as the statute uses that term; and 3) the plaintiff authorized the supervisor’s access because she had: (a) not expressly told him not to read her e-mails; and ( b) implicitly consented to his access by not deleting her g-mail account. The court disposed of each of these arguments. Initially, the court concluded that it was irrelevant that the supervisor gained access to the plaintiff’s email using a device he was authorized to use because he still did not have the plaintiff’s authorization to access her emails. He likewise did not agree that by failing to take prudent steps to prevent unauthorized access to her email was the equivalent of implicit authorization. Finally, the court concluded that the supervisor accessed a “facility” within the meaning of the SCA when he accessed the gmail server on which the plaintiff’s emails were stored. The defendants did, however, have some success in limiting their potential liability under the SCA. The court concluded that the defendants violated the SCA only to the extent that they were the ones who initially opened the email. If they simply read emails that the plaintiff already had opened herself but not deleted, those emails were no longer in “electronic storage” within the meaning of the statute.
The court granted the defendants’ motion to dismiss plaintiff’s Wiretap Act claim. For there to be a violation of this statute, an individual must use an "electronic, mechanical, or other device” to “intercept” the contents of any wire, electronic, or oral communication in transit. Here, however, the defendants did not “intercept” the plaintiff’s emails because they simply opened them or read them after they had arrived at their destination in her email account.
Ohio Common Law Invasion of Privacy
The court held that the plaintiff stated a viable cause of action for invasion of privacy under Ohio law for “intrusion upon seclusion.” To succeed on this claim, the plaintiff will have to establish that the defendants intentionally intruded, physically or otherwise, upon her solitude or seclusion or her private affairs or concerns and that the intrusion was highly offensive to a reasonable person. While recognizing that the defendants may be able to present evidence that will reduce the plaintiff’s reasonable expectation of privacy in her emails, the court concluded that she had sufficiently pleaded a cause of action for invasion of privacy under Ohio law. In reaching this conclusion, the court noted that “a reasonable jury could find [the supervisor’s] reading of tens of thousands of such private communications, if proven to have occurred, "highly offensive."
Ohio Revised Code § 2913.04(B)
Plaintiff’s complaint seeks to hold the defendants civilly liable for violations of O.R.C. §2913.04(B) under another Ohio statute that permits a person injured by another’s criminal conduct to recover against the perpetrator of the crime. O.R.C. § 2913.04(B) provides as follows:
No person, in any manner and by any means, including, but not limited to, computer hacking, shall knowingly gain access to, attempt to gain access to, or cause access to be gained to any computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service without the consent of, or beyond the scope of express or implied consent of, the owner of the computer, computer system, computer network, cable service, cable system, telecommunications device, telecommunications service, or information service or other person authorized to give consent.
The court denied the defendants’ motion to dismiss this count, holding that the Ohio criminal computer misuse statute reached a far broader range of misconduct than merely computer hacking.
Intentional Infliction of Emotional Distress
The elements of this claim under Ohio law are:
(1) the defendant intended to cause emotional distress, or knew or should have known that his actions would result in serious emotional distress; (2) the defendant’s conduct was so extreme and outrageous that it went beyond all possible bounds of decency and can be considered completely intolerable in a civilized community; (3) the defendant’s actions proximately caused psychological injury to the plaintiff; and (4) the plaintiff suffered serious mental anguish of a nature no reasonable person could be expected to endure.
The court noted that the plaintiff’s claims of mental anguish were conclusory and gave her four weeks to file an amended complaint in which she states that she either has been undergoing treatment for psychic injuries, suffered specific and prolonged psychic and/or psychic-related consequences, or both. Failing that, the court will dismiss this count with prejudice.
While this case addresses a factual scenario that seems unlikely to repeat itself (or so I hope), there are a few nuggets for employers here:
- It cannot be emphasized enough that bad things happen when employers access employees’ personal email or social media accounts without explicit authorization.
- When company-owned mobile devices are returned by departing employees, they should be segregated for a period of time to be sure that there is no need for them to be forensically examined. They should then be wiped before being put back in circulation.
- As more and more employers are entering a BYOD environment, it is clear that employers run extreme risks if they permit their employees to wipe their own devices when separating from employment. While nothing is foolproof, having a BYOD agreement with employees in which they consent to the employer doing a remote wipe of the device upon their departure at least will reduce the risks that employees will continue to possess employer confidential data on their devices after they are gone. Using container/sandbox software that separates work and personal applications on the device also will cushion employee concerns about losing personal data when the device is remotely wiped.
- See Takeaway No. 1.