Employer Grabs the Driver’s Seat on Electronic Privacy Claims

Friday, June 2, 2017

Most employment laws are like a one-way street, where the only party with the ability to drive a claim is the employee.  When it comes to electronic privacy, however, some federal statutes allow for two-way traffic.  Although the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA) are often used by employees to assert claims (like this and this) against employers over unauthorized access to electronic communications, these laws also provide avenues for employers to pursue claims against employees for similar transgressions.

For example, earlier this year the Eleventh Circuit Court of Appeals affirmed a judgment against an employee for violations of the CFAA and SCA in a case called Brown Jordan International v. Carmicle.  The employee in the case, Carmicle, was an executive who became suspicious that a subordinate employee with whom he was having difficulty was communicating directly with the company’s CEO.  Acting on that suspicion, Carmicle took advantage of a generic email password to search the accounts of other employees.  From his search, Carmicle inadvertently learned about a planned buyout of the company by a select group of executives, and he also discovered that the company was scrutinizing his entertainment expenses.  Concerned that his job was in jeopardy after a poor financial year, Carmicle informed the company’s board of directors about the planned buyout and accused the group of executives of fraudulent activity.  This prompted the board to hire an independent investigator.  The resulting investigation failed to substantiate Carmicle’s accusations, but did disclose the extent of his email activities and the fact that he had spent over $100,000 in unauthorized business expenses.  After receiving these findings, the company terminated Carmicle and then sued him for violations of the CFAA and SCA.  The company prevailed at trial.

On appeal, Carmicle argued that the judgment on the CFAA claim was in error because the company had not experienced a “loss” recognized by the statute.  However, the Eleventh Circuit found that the CFAA’s definition of a “loss” encompassed payments that the company had paid to outside consultants to determine the extent of Carmicle’s hacking activity and so affirmed the judgment on that claim.  As for the SCA claim, Carmicle argued, among other things, that his access of employee email accounts was authorized because the company’s policy made clear that emails were subject to monitoring and were not private, and also because, as a member of senior management, he was not required to request access.   However, agreeing with the trial court, the Eleventh Circuit found that it was unreasonable to interpret the policy as authorizing Carmicle to “exploit a generic password” and to access email accounts without going through the proper channels, particularly where he did so without any reason to suspect wrongful or illegal conduct by the employees whose accounts he accessed.

The Brown decision serves as an important reminder of the leverage that statutes like the SCA and CFAA can provide to employers when it comes to protecting their proprietary electronic communications and systems.  Although employers are unlikely to find themselves very often in the position of needing that leverage in pursuit of a claim against an employee, these statutes nonetheless provide employers with a license to go down that road if needed.