A federal court in Maryland recently found that an employer may have violated federal privacy law when it accessed a former employee’s personal emails on Google’s servers after she deleted them from a company mobile phone. In Levin v. ImpactOffice LLC, No. 8:16-cv-02790-TDC, 2017 WL 2937938 (D. Md. Jul. 10, 2017), the court concluded that the plaintiff’s complaint alleged sufficient facts to survive a motion to dismiss.
Background on Levin v. ImpactOffice LLC
Melissa Edwards was a former employee of an ImpactOffice LLC affiliate (Impact). After her resignation, she turned over her company-owned mobile phone, but not before deleting emails from her personal Gmail account that she had kept on that phone. Impact sued her and other employees for breach of their noncompetition agreements, and, in the midst of that litigation, an Impact agent allegedly used Edwards’s company phone to access emails in her personal Gmail account stored on Google’s servers. Her emails included confidential and privileged communications between Edwards and her attorneys.
Edwards sued Impact under the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., a federal privacy law allowing for private lawsuits against a person who accesses without authorization “a facility through which an electronic communication service is provided” and thereby obtains access to a wire or electronic communication while it is in electronic storage.
Applying the Stored Communications Act
Under the SCA, electronic storage is (1) temporary, intermediate storage incidental to electronic transmission, or (2) storage for the purposes of backup. The key issue in Impact’s motion to dismiss was whether the emails it accessed were in electronic storage.
Impact argued that the emails did not meet the first definition of “electronic storage” because Edwards had already opened the emails in question, and, therefore, they were not in intermediate storage prior to transmission. The court rejected that argument and found it was reasonable to infer that at least some of the emails were unread, placing them within the first definition of electronic storage.
In response to Impact’s argument that the emails did not meet the second definition, the court reasoned that the emails were kept on Google’s servers for backup purposes, since Edwards had deleted the emails from her phone, and they remained on a server in the event she needed to download them again to another device. Therefore, the court found Edwards sufficiently stated a claim under the SCA and will be allowed to move forward with her suit.
Avoid Using Company-Owned Devices for Personal Communications
In general, employees do not have a right to privacy in their employer-owned work email, which is considered the employer’s property. This case exemplifies some of the privacy issues employees face when using employer-owned devices to access personal email or other accounts.
Employees should be mindful of employer policies about the personal use of company-issued desktop computers, laptops, mobile phones, and other electronic devices. Even where employers permit some personal use, those policies do not necessarily create a legal right to privacy. However, privacy laws around employees’ personal use of company-owned devices and networks are still evolving and vary depending on the jurisdiction. One lesson from the Levin case is that, as a rule of thumb, employees should never send, receive, or store privileged and confidential communications or documents—such as emails exchanged with their attorneys—on their work email accounts, on a company-owned device, or over a company network.
Where Electronic Communications Are Stored Matters
More generally, employees should carefully consider whether to keep personal emails on employer-owned computers and devices, as these may be accessible to employers. While employees may have recourse under the SCA against employers’ accessing personal emails from a third-party server such as Google, the Levin case suggests that personal emails downloaded onto and stored on a company device would not be considered in “electronic storage” under the SCA and, thus, would fall outside the scope of its protection.
In Levin, the survival of the plaintiff’s claim turned on the fact that she deleted her emails from the device, which led the court to conclude that the emails present on Google’s servers were there for the purpose of backup, bringing them within the definition of electronic storage for purposes of the SCA. Where the communications in question are stored is central to determining whether the SCA applies.
For example, in a similar case in California, an employee returned a company-issued iPhone and an iPad without unlinking them from his personal Apple Inc. account. As a result, the company-owned devices continued to receive personal text messages and photographs. The court dismissed the former employee’s SCA claim, however, noting that text messages and photographs stored on the device itself did not fall within the definition of electronic storage because they were neither temporary nor backup files, and there was no allegation that the employer used a network or cellular telephone provider to access his communications. See Sunbelt Rentals, Inc. v. Victor, 43 F. Supp. 3d 1026, 1032 (N.D. Cal. 2014).
Employers Should Not Use Employee Login Credentials without Authorization
Employers will typically face liability under the SCA when they access communications in electronic storage by using the employee’s login credentials without authorization.
For example, a federal court in New Jersey found that an employer violated the SCA when its manager used an employee’s login name and password to access a private MySpace page used by employees to complain to one another about the workplace. See Pietrylo v. Hillstone Rest. Grp., No. 06-5754 (FSH), 2009 WL 3128420, at *2 (D.N.J. Sept. 25, 2009).
Similarly, courts have dismissed employer arguments that employees gave implied consent to access personal accounts when the employees forgot or inadvertently failed to “de-link” access to their personal email accounts when they returned their company devices. In Lazette v. Kulmatycki, a federal court in Ohio found that an employer could have violated the SCA when it accessed and read stored personal emails using an employee’s company-issued BlackBerry after the employee returned the device without deleting access to her personal email account because that failure did not imply she had authorized her employer’s access to over 40,000 private emails. 949 F. Supp. 2d 748 (N.D. Ohio 2013).
State Privacy Laws and Reasonable Expectations of Privacy
Apart from the SCA, employees may have other avenues for recourse, such as various state privacy laws. Those cases raise other questions, such as whether the plaintiff had a “reasonable expectation of privacy” in the area intruded upon or whether the intrusion was one that would be highly offensive to a reasonable person.
In some cases, courts have found an employee has no reasonable expectation of privacy in his Internet browsing history on an employer-owned computer, even where the history reflected a personal email account (though no email content), particularly where the employer had disseminated a computer monitoring policy that emphasized computers are not for personal use and all activity can be monitored. See Thyegson v. U.S. Bancorp, No. CV-03-467-ST, 2004 WL 2066746, at *18 (D. Ore. Sept. 15, 2004).
On the other hand, another court allowed a claim to go to a jury to answer the factual question of whether an employer’s accessing a personal email account by correctly guessing at the password would be highly offensive to a reasonable person and whether a reasonable person would consider a personal email account on a workplace computer to be private. See Fischer v. Mt. Olive Lutheran Church, 207 F. Supp. 2d 914, 928 (W.D. Wis. 2002).
As Levin v. ImpactOffice LLC and other matters demonstrate, privacy law is not changing as rapidly as personal communications technology, and employees need to be aware of the limits of their protections.