The situation is common enough: an employee is alleged to have engaged in misconduct and, as part of its investigation, the employer decides to search the employee’s company-issued computer for any relevant documents and communications. One might expect that because the company owns the computer, anything discovered on the computer would be fair game. That expectation, however, can sometimes lead employers astray – and straight into a claim under electronic privacy and anti-hacking statutes like the Stored Communications Act (SCA) and Computer Fraud and Abuse Act (CFAA).
The SCA and CFAA are federal statutes that protect against the unauthorized access of electronic communications and information. Under those statutes, employers have considerable room to monitor and access communications on their own networks and equipment. The SCA, for example, generally exempts communications that are transmitted or stored on an employer’s proprietary electronic communications system. That exemption does not apply, however, to communications that are stored outside of the company’s system, such as emails stored in an employee’s Gmail or Yahoo! account. Consequently, an employer that accesses an employee’s private email account risks violating the law – regardless of whether a company-issued computer allowed the employer to do so (for example, because the password for the employee’s private email account was stored in the computer’s internet browser).
Cases to Discuss
As a case in point, in Lazette v. Kulmatycki (N.D. Ohio 2013), a supervisor used a former employee’s smartphone to access the employee’s personal email account after her employment ended. The employee had been issued a smartphone during her employment and had been told that she could use it for personal matters. When the employee left, she returned the smartphone and believed that she had deleted her Gmail account from the phone. In fact, the Gmail account was still accessible on the phone and the supervisor, rather than deleting the account, used it to read the employee’s opened and unopened email—a total of 48,000 emails over an eighteen-month period. After becoming aware of the supervisor’s actions, the employee changed her Gmail password and then sued claiming violations of the SCA, among other things. The employer sought to dismiss the complaint, but was unsuccessful. The court found that the mere fact that the supervisor had used a company-owned device to access the employee’s email account did not grant him the authority to do so. It also found that the employee’s inadvertent failure to delete the account from the phone did not mean she had given implied consent to access the account, particularly where she believed she had deleted the account and was unaware of the possibility that others might be able to access it. On the issue of consent, the court also noted that even if she had been aware that her emails might be monitored, that implied consent would not have been unlimited, given that “random monitoring is one thing; reading everything is another.”
More recently, in Owen v. Cigna (N.D. Ill. 2016), a court held that an employee had a viable claim under the SCA where her employer allegedly used her work computer to access emails from her personal email account. The employee had left her job and had filed a charge of discrimination for sexual harassment. In responding to the charge, the employer attached emails that it had obtained from the employee’s personal email account, but which the employee claimed had been obtained without her consent. The employer argued that it was authorized to access the emails, but the court dispensed with this argument quickly and found that although the employer had the undeniable authority to access the employee’s work computer after she stopped working, it was not authorized to access the employee’s personal email account.
Both of these cases serve as important reminders for employers to consider the potential privacy of electronic communications when performing workplace investigations. Although there are certainly steps that employers can take to reduce any expectation of privacy that employees may have in their electronic communications at work, employers must also recognize that mere ownership of a computer, tablet, smartphone, or other electronic device does not provide carte blanche access any account an employee accessed on the device.