Earlier this week the South Carolina Supreme Court ruled that accessing another person's online (personal) email is not a violation of the federal Stored Communications Act (the Act and the Wikipedia summary). This holding is in direct opposition to what the Ninth Circuit Court of Appeals held in 2004 in Theofel v. Farey-Jones.
At the outset you should keep in mind that this is a civil case, which differs from a criminal case. In this post we are looking at solely the Stored Communications Act ("SCA"), and a limited aspect thereof.
Facts of This Case
The facts of this case, Jennings v. Jennings (PDF link) are actually pretty surprising, considering the outcome. A wife suspected that her husband was carrying on an affair. The daughter-in-law, with more free time than common sense, could not resist inserting herself into the situation and accessed the husband's Yahoo! account by guessing his secret questions. Soon thereafter emails between the husband and the girlfriend were found and became what divorce attorneys refer to as "leverage."
The husband would have none of this, and brought several causes of action against the soon-to-be ex-wife, her attorney and his private investigator, including the SCA. The lower court dismissed all counts against the defendants, the appeals court overturned the lower court decision with respect to violations of the SCA, and the Supreme Court of South Carolina took up the appeal.
The court focused on the definition of "electronic storage" under the SCA:
- any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
- any storage of such communication by an electronic communication service for purposes of backup protection of such communication.
The justices advanced two theories in arriving at the same conclusion. On the one hand, some justices held that because the husband did not download any copies of the email (he read and left the "original" copy on Yahoo's servers), the second component of the definition was not satisfied. They wanted to see two copies of the same email, and storing the email on the server was not the intended "backup" under the SCA.
The one other justice read an "or" between (A) and (B) of the definition, concluded that transmission of the email for viewing was not sufficient storage, and otherwise held that there was no backup of the email. These facts satisfied neither (A) nor (B).
Now I am Confused
This decision leaves an obvious split in the courts with respect to the SCA, which should be addressed by amending the legislation or by the United States Supreme Court. Ars Technica has an excellent article here discussing the case in more detail and offering more insight into how to correct this split. The article is a great read if this topic is of interest to you.
Unfortunately, there are no clear answers and accessing another person's email remains a very, very dangerous activity.
How Relevant to You
Why does this matter for your business?
CEO: We just let Johnson go, and I think he uploaded trade secrets to his personal email.
General Counsel: We need some reasonable basis to accuse Johnson of this.
CEO: I don't know why I hired you.
(Calling the IT guy)
CEO: Bill, give me Johnson's computer password.
Bill: It is iLovePonies44.
(CEO accesses the machine, finds that Johnson is still logged into Gmail, finds evidence that trade secrets were uploaded by Johnson to his personal email account. CEO calls the General Counsel.)
CEO: Ted, I caught Johnson red-handed. Johnson sent emails with our customer lists and contact information to his personal email account.
General Counsel: Unbelievable. How did you find out?
CEO: He left his Gmail open on his work computer.
General Counsel: I don't think you can read his personal email. Let me check with outside counsel.
Outside Counsel: It is dangerous and may violate federal law.
CEO: You are both fired.
The South Carolina decision throws some doubt on the above conclusion, and on some level these hypothetical facts are not as nefarious as the Johnson case because there was no password guessing/hacking.
Before, if an employee had downloaded mail to a mail client resident on her computer (e.g., POP3 or IMAP), the issue was much clearer because the correspondence was deemed abandoned (it was not a complete green light, but things looked better for the non-account owner). Webmail, by definition, completely changes the above analysis (or so we thought). The information is stored on the mail provider's servers, always accessible and never downloaded unless a mail client is used.
This decision should not be viewed as the only obstacle to accessing an employee's personal email. Putting the ethical issues aside, there are many laws lurking for the unwary. The point really is that the SCA is a bit of a mess in this regard, and like many laws touching the online world is in need of some freshening up to deal with current technology.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.