Problem solve Get help with specific problems with your technologies, process and projects.

Stored Communications Act ruling muddles business online data privacy

A state supreme court decision addressing webmail hacking under the Stored Communications Act affects email privacy and the ability to sue hackers.

Under some circumstances, one may access another person's webmail without authorization and face no legal liability under the federal Stored Communications Act (SCA)[1], according to South Carolina's Supreme Court in the recent case Jennings v. Jennings.

Organizations that provide webmail accessibility or otherwise store information in the cloud may find that Jennings causes more harm than good.

As a result of this ruling, there may be a need for enterprises to revisit the security and privacy of company, user and customer data that resides in cloud-based email systems, such as those offered by Google and Yahoo, and even possibly cloud-based document storage and editing services. Similarly, the ruling may suggest companies have greater legal leeway to access personal employee email in the course of an investigation. In this tip, we'll examine the South Carolina ruling and the potential data privacy implications for enterprises.

Jennings v. Jennings explained

Jennings arose from a divorce case, in which the wife enlisted the help of a relative to access her husband's webmail, which she believed would reveal the details of an affair. The relative was able to guess the answers to the husband's account security questions, and thereby gain access to emails indicating an affair. The relative printed the emails and gave copies to the wife's attorney and private investigator. When the husband learned of the hacking, he sued the wife's relative in state court for violating the SCA. The case made its way to the state Supreme Court, where the sole issue on appeal was whether the emails at issue were in "electronic storage."

The SCA is a federal law passed in 1986 that prohibits an individual from accessing an electronic communication without authorization while it is in "electronic storage." Under the SCA, that means "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for the purposes of backup protection of such communication."[2]

The meaning of this less-than-clear definition was the focus of the court's opinion. The statute obviously was not written with cloud-based email in mind, but it still applies to it. While the holding only clearly applies to webmail services (like Gmail and Yahoo! Mail) involving similar facts, it is conceivable that the Jennings opinion could also apply to company-hosted, cloud-based messaging and email systems. Because other portions of the SCA that involve other definitions likely cover storage of documents (as opposed to communications) in the cloud, the Jennings opinion probably is inapplicable in those circumstances.

The case was decided by a plurality, meaning that the justices could only reach a majority consensus as to the ultimate outcome, but not the rationale, for the decision. Under the two dominant rationales, the emails were not protected by the SCA either because there was no "backup" of the message (the copies of the messages stored in Yahoo's system were the primary and only copies), or because once the husband accessed the email, it was no longer in "temporary, intermediate storage" (as the message was opened, but left to reside in the system). Since the emails accessed by the wife were not in "electronic storage," the wife's accessing of those emails, even when unauthorized, was not a violation of the SCA.

The Jennings opinion establishes a split with the U.S. Court of Appeals for the Ninth Circuit's 2004 opinion in Theofel v. Farey-Jones[3], which found that emails that had been received, read and left on the server were stored "for purposes of backup protection" and therefore within the ambit of the SCA. As highlighted by the Jennings opinion, several district courts also interpret the SCA differently.

Theofel v. Farey-Jones

Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004). In the absence of U.S. Supreme Court authority to the contrary, the Ninth Circuit Court of Appeals' interpretations are binding on federal courts in Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, and Washington, as well as the territories of Guam and the Northern Mariana Islands.

Email data privacy ramifications for enterprises

Significantly, in the business context, at least in South Carolina, a company might rely on the case to investigate employee misconduct, like the theft of trade secrets, by accessing an employee's personal email account and reading emails that had previously been viewed. Under Jennings, assuming the same factual scenario, this conduct would not appear to result in legal liability under the SCA.

However, companies probably should not rely on Jennings too heavily in deciding whether to access employees' personal email. First, by its nature, it applies only to cases litigated in South Carolina state courts (most cases under the SCA are decided in federal court). In particular, the interpretation of "electronic storage" in Jennings departs from the interpretation by the federal Ninth Circuit. Second, a company engaging in such activity could still be sued for hacking or online data privacy violations under other statutes, such as the Computer Fraud and Abuse Act (CFAA), and the Wiretap Act, or even common law torts such as invasion of privacy.

On the flipside, organizations that provide or use webmail may find that Jennings causes more harm than good: If a company's computers or email accounts are hacked, for example, it may not be able to sue the hacker under the SCA. This is unfortunate because the SCA does not require a company to prove any amount of damages and, thus, would seem to eliminate an option for legal reprieve in cases where hackers maliciously gain access to electronic communications. The CFAA, another statute commonly used against hackers, requires a company to allege at least $5,000 in damages. Thus, if a company that was hacked cannot properly allege that it suffered $5,000 in damages, its options for redress under federal law may be greatly limited.

Given the split of interpretation, the U.S. Supreme Court may ultimately wind up weighing in on what protections stored emails have under the SCA. Alternatively, Congress may step in and amend the SCA for modern times, and many have called for that. Until then, the legal protection -- or lack thereof -- for stored communications will remain murky, and legal counsel should be consulted before engaging in any activities similar to those described in Jennings.

About the authors:
David Navetta is an attorney and founding partner with InfoLawGroup LLP, a national law firm specialized in privacy, security, technology, media, advertising and intellectual property law. Andrew L. Hoffman, an attorney and counsel at the firm, works with in-house counsel and business leaders to address legal requirements and best practices for the protection of personal information.

[1] 18 U.S.C. § 2701(a)
[2] 18 U.S.C. § 2510(17) (emphasis supplied)
[3] 359 F.3d 1066 (9th Cir. 2004).



This was last published in January 2013

Dig Deeper on Information security laws, investigations and ethics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.