Court Finds Airport Cannot Fly Under the Radar on Employee’s Email Privacy Claims

Friday, November 4, 2016

A federal district court in Virginia recently grounded an airport’s attempt to escape liability for accessing an employee’s email account. (Hoofnagle v. Smyth-Wythe Airport Commission.) The decision, which delivered a mixed result for the airport, provides important guidance for both public and private sector employers.

The employee was the airport’s operations manager and was responsible for its day-to-day operations, including responding to email from the public. To this end, the manager created a Yahoo! email account, which he used for both airport and personal business. Although the account became the airport’s official email contact, the airport did not have an email policy or any other technology policy that governed how the account was to be used.

Events came to a head when the manager, an NRA member, used the account to send a strongly worded email to U.S. Senator Tim Kaine regarding gun control. The manager signed the email using his official airport title. After learning of the email, the airport terminated the manager based not on the email’s content, but on the manager’s decision to sign it in his official capacity. The airport then used a password provided by the airport’s secretary to gain access to the account to search for business records. The manager sued and claimed that the airport’s access of the email account without his authorization violated the Fourth Amendment’s protection against unreasonable governmental searches, as well as the Stored Communications Act.

Dealing with the Fourth Amendment claim first, the court applied a two-part test used by the U.S. Supreme Court in another case involving the scope of employee privacy in electronic communications. That test looks first at the “operational realities” of a workplace to determine whether a reasonable expectation of privacy exists, and then examines whether the search was reasonable under all the circumstances.

In this case, the court found that the manager did have a reasonable expectation of privacy in the email account – primarily because the account was not clearly owned by the airport, and because the airport did not have an electronic communications policy that would have limited the manager’s expectation of privacy. Nonetheless, because the airport’s search of the account related to a non-investigatory work-related purpose, and because it was limited in scope, the search was reasonable and therefore did not violate the Fourth Amendment.

Turning to the Stored Communications Act, however, the court found that the airport could not escape liability. The SCA is a federal law that prohibits the unauthorized access to stored email and other electronic communications. But the SCA exempts “providers” of electronic communications services and end “users” of those services – and it was under these two exemptions that the airport sought refuge, arguing that the exemptions applied because the airport had provided the computer through which the manager had used the Yahoo! account. The court found neither exemption applied, though, because it was Yahoo! that provided the electronic communications service where the emails were stored, and it was the manager, who had created the account, that was the “user” of the service.

So – what guidance does this case provide for employers? First, it demonstrates that employers must be careful when using, or allowing employees to use, a third-party email provider (e.g., Yahoo!, Gmail, etc.) for company business. In those situations, employers must be sure to have clear policies in place that address the scope of employee privacy in electronic communications and the monitoring of email on workplace computers, and the policies should also clarify who it is – employer or employee – that owns the account and is authorized to access it. Had the airport in this case maintained such a policy, it would have been in a far better position. Second, this case demonstrates that an employee’s use of a work computer does not entitle an employer to access virtually any account used by the employee on the computer – even if the account is used for work purposes. Finally, the case serves as an important reminder for employers to keep abreast of changes in technology and how that technology is used in the workplace.