A recent Ohio federal court decision serves as a reminder that companies need to review their Bring Your Own Devices (BYOD) policies to ensure that employees are adequately informed about the communications that corporate employers can monitor during and after employment.

In Lazette v. Kulmatycki, the U.S. District Court for the Northern District of Ohio ruled that a former employer may violate the Stored Communications Act (SCA) by accessing electronic information through a company-issued smartphone after an employee has left the company. In this case, a former employee alleged that her former supervisor continued to read 48,000 personal e-mails on her company-issued BlackBerry for 18 months after she had turned in the device.

The employee was told that she could use the device for work as well as personal matters. Before she turned in the phone, she deleted her work e-mails, but inadvertently left her personal e-mail account accessible. Her former supervisor continued to read opened and unopened mail until she changed her password.

A violation of the SCA occurs when someone "(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains … access to a wire or electronic communication while it is in electronic storage in such system[.]" The court rejected the defendants' argument that the SCA's congressional intent is to reach computer hackers only. It found that the Act's purpose is generally to "prohibit persons and entities from intentionally accessing electronic data without authorization or in excess of authorization."

The court highlighted that the employee "neither knew nor approved" of her supervisor accessing her personal e-mails. And even if the employee inadvertently left her personal e-mail account accessible, such actions would not establish "implied consent," as the employee was unaware of the possibility that others might access her future e-mails from the account.

The court was careful to distinguish between the employee's e-mail account—which was a "facility" under the SCA—and her computer or BlackBerry, which were not a facility. This ruling is consistent with the Fifth Circuit's recent ruling in Garcia v. City of Laredo.

The court also found that protection under the SCA only extended to personal e-mails that the employee had not opened. E-mails that had been opened and not deleted did not constitute "electronic storage" because they were not being kept "for the purposes of backup protection."  As a result, the supervisor's reading of the previously opened e-mails may not violate the SCA. This finding highlights a current split among the U.S. Courts of Appeals, some of which, including the Ninth Circuit, have held that opened e-mails are protected under the SCA.

The Lazette case is a timely reminder to corporate employers with dual-use policies that employers do not necessarily have unfettered rights to all communications that exist, or may be accessed, through a company-provided device or computer. To the contrary, access to accounts protected under the SCA requires explicit employee consent.

Attorneys in Ballard Spahr's Privacy and Data Security and E-Discovery and Data Management Groups help clients navigate the many laws designed to safeguard private information, and efficiently and strategically manage the electronic discovery process. Attorneys in the firm's Labor and Employment Group assist clients in conducting workplace investigations and in crafting employment policies and practices.

The webinar "Avoiding the Pitfalls of 'Bring Your Own Device' Policies," presented on June 12, 2013, may be of interest. Slides and a recording of the webinar are available for your reference.

For more information, please contact Philip N. Yannella at 215.864.8180 or yannellap@ballardspahr.com, or David S. Fryman at 215.864.8105 or fryman@ballardspahr.com.


Copyright © 2013 by Ballard Spahr LLP.
www.ballardspahr.com
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

E-Discovery and Data Management
Labor and Employment
Litigation
Privacy and Data Security