Every employer understands that there is sometimes a need to do some investigative work. You might be checking out a new hire, or be suspicious of one of your employees who is entrusted with confidential or sensitive information.
Employers should be monitoring the use of company computers and company phones by their staff. In the course of monitoring, an employer might obtain an employee’s login details or password for personal accounts – Facebook, email, bank accounts.
What is the law if the employer logs in to the employee’s account? Is it illegal? Can the employee sue the employer?
This is a relatively new area of privacy law in the US, and it touches both on federal and state regulatory schemes.
On the federal level, the Stored Communications Act, 18 U.S.C.§2701, was enacted as part of the Electronic Communications Privacy Act. It protects electronic communications that are kept online. Recognizing that the reasonable expectation of privacy of these records and the interpretations of the 4th amendment’s prohibition against unreasonable search and seizure which offer protection for physical locations, Congress established stiff criminal penalties for unlawful access or changes to these online records.
This law famously came into play in a case of internet snooping, dubbed “WebcamGate”. The case arose when a school district issued laptops to students which gave the school control over the laptops’ webcam. The school district administrators did activate the webcams without knowledge of the students or their parents.
A class action lawsuit ensued, which was eventually settled with the school district. In that action, a claim was made under the SCA for civil damages for unauthorized access of the records which would be maintained on the laptops, namely the photo files. The case was quickly settled, so the Court never ruled on the SCA claim.
Subsequently, another federal court did find that the unauthorized accessing an employee’s personal accounts through use of a password captured from a keylogger was a violation of the SCA. In Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090 (S. Ind. 2011), a woman was authorized by her employer to access her personal checking and email accounts from her work computer.
The employer failed to notify her that keylogger software was installed on her work computer. Her passwords were discovered through keylogger software. Her employer reviewed both her personal email and checking account history using the captured passwords.
There were several emails by and between company management, discussing the contents of her personal account histories. The court reviewed whether the employer’s conduct violated the Stored Communications Act.
The keylogger information itself, which included passwords, opened emails and viewed webpages, did not infringe on the Act. However, the employer’s conduct in using the passwords to review Rene’s histories (stored communications) would be covered by the SCA.
With respect to social media networking sites, the SCA first came into play in Pietrylo v. Hillstone Restaurant Group (NJ, 2009). Pietrylo and another employee started a private, invitation-only, password protected MySpace group in which they voiced their complaint about the company’s management and customers.
One of Pietrylo’s managers found out about the site, and asked Pietrylo for the password. Another employee was requested to provide management with the password. Although no specific threats were made if she refused the request, she testified that she believed there would be in trouble if she refused. Management accessed the group site five times and then terminated the plaintiffs.
The jury found that the MySpace group was a facility that stored electronic communications as defined by the SCA. The jury further found that the restaurant managers violated the SCA as they did not have authorization to access the group webpage. The court awarded the plaintiff’s back-pay, punitive damages 4 times the amount of back-pay damages, and attorney’s fees.
Finally, of importance to our customers, is retrieving data from dual-use devices. The line between personal and business use of mobile device is increasingly becoming blurry. As more and more employees carry cell phones and tablets that are used both for personal and business purposes, the likelihood that an employer would access the employee’s personal accounts is dramatically increasing, and, with that, exposure to liability for the employer.
Lazetta v. Kulmatycki (N.D. Ohio 2013) arose out of the accessing of an employee’s personal email account from a company-issued phone. Verizon issued a blackberry to its employee, Lazetta, who set up a personal Gmail account on the phone with Verizon’s permission.
When Lazetta ended her employment, she returned the blackberry to her supervisor, but forgot to delete the gmail account. She was advised by her supervisor that the phone would be recycled and given to another employee. Instead, her supervisor read over 48,000 of Lazetta’s personal emails over an 18-month period.
The court ruled that both the supervisor and Verizon could be liable for the SCA violation. To defeat a summary judgment motion, it was enough to show that the personal account contained private information and that the personal account was accessed through the unauthorized use of a password. Moreover, the court ruled that the employer, Verizon, would be held vicariously liable if the supervisor were found liable.
Even if an employee were to give a personal account password to an employer, the account may only be accessed for the limited purpose of the authorization. Exceeding the authorization invokes liability under the SCA.
In Cheng v. Romo (D.C. Mass 2012), the court also ruled that a motion for summary judgment was defeated, where an employee pled sufficient facts to show that the scope of password authorization had been exceeded by the employer’s access to the plaintiff’s personal email history.
Cheng and Romo were radiologists working for the same company. Cheng gave Romo her personal email account password, so that Romo could receive radiology consultations as the employer did not have a company email account. Both employees ended up in litigation with the employer after their terminations.
Claiming that she wanted to investigate various disciplinary actions, Romo used her son’s computer to access Cheng’s email account, and printed 10 of those emails, some of which contained personal content. The Court held that an employer can be liable under the SCA for exceeding the scope of authorization for use of a password for an account, even if the account is used for mixed purpose (personal and business), where personal information is accessed.