The
situation is common enough: an employee is alleged to have engaged in
misconduct and, as part of its investigation, the employer decides to search
the employee’s company-issued computer for any relevant documents and
communications. One might expect that because the company owns the
computer, anything discovered on the computer would be fair game. That
expectation, however, can sometimes lead employers astray – and straight into a
claim under electronic privacy and anti-hacking statutes like the Stored
Communications Act (SCA) and Computer Fraud and Abuse Act (CFAA).
Federal Statutes
The
SCA and CFAA are federal statutes that protect against the unauthorized access
of electronic communications and information. Under those statutes,
employers have considerable room to monitor and access communications on their
own networks and equipment. The SCA, for example, generally exempts
communications that are transmitted or stored on an employer’s proprietary
electronic communications system. That exemption does not apply, however,
to communications that are stored outside of the company’s system, such as
emails stored in an employee’s Gmail or Yahoo! account. Consequently, an
employer that accesses an employee’s private email account risks violating the
law – regardless of whether a company-issued computer allowed the employer to
do so (for example, because the password for the employee’s private email
account was stored in the computer’s internet browser).
Cases to Discuss
As
a case in point, in Lazette v. Kulmatycki (N.D. Ohio 2013), a supervisor
used a former employee’s smartphone to access the employee’s personal email
account after her employment ended. The employee had been issued a
smartphone during her employment and had been told that she could use it for
personal matters. When the employee left, she returned the smartphone and
believed that she had deleted her Gmail account from the phone. In fact,
the Gmail account was still accessible on the phone and the supervisor, rather
than deleting the account, used it to read the employee’s opened and unopened
email—a total of 48,000 emails over an eighteen-month period. After
becoming aware of the supervisor’s actions, the employee changed her Gmail
password and then sued claiming violations of the SCA, among other
things. The employer sought to dismiss the complaint, but was unsuccessful. The court found that the mere fact that the supervisor had used a company-owned
device to access the employee’s email account did not grant him the authority
to do so. It also found that the employee’s inadvertent failure to delete
the account from the phone did not mean she had given implied consent to access
the account, particularly where she believed she had deleted the account and
was unaware of the possibility that others might be able to access it. On
the issue of consent, the court also noted that even if she had been aware that
her emails might be monitored, that implied consent would not have been
unlimited, given that “random monitoring is one thing; reading everything is
another.”
More
recently, in Owen v. Cigna (N.D. Ill. 2016), a court held that an
employee had a viable claim under the SCA where her employer allegedly used her
work computer to access emails from her personal email account. The
employee had left her job and had filed a charge of discrimination for sexual harassment.
In responding to the charge, the employer attached emails that it had obtained
from the employee’s personal email account, but which the employee claimed had
been obtained without her consent. The employer argued that it was
authorized to access the emails, but the court dispensed with this argument
quickly and found that although the employer had the undeniable authority to
access the employee’s work computer after she stopped working, it was not
authorized to access the employee’s personal email account.
Both
of these cases serve as important reminders for employers to consider the
potential privacy of electronic communications when performing workplace
investigations. Although there are certainly steps that employers can
take to reduce any expectation of privacy that employees may have in their electronic communications at
work, employers must also recognize that mere ownership of a computer, tablet,
smartphone, or other electronic device does not provide carte blanche access any account an employee accessed
on the device.
