It’s time for a roundup of recent Stored Communications Act (SCA) decisions.  The issues addressed in these decisions include: (1) is a company network a “facility” subject to the prohibitions of the SCA; (2) what is “electronic storage”; (3) can there be secondary liability for violating the SCA; and (4) how broadly is “authorization” under the SCA defined.

Is a company network a “facility”?

Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012)

A terminated employee remotely accessed her ex-employer’s company computers to transmit spyware and monitor network communications.  The company sued the ex-employee under the Computer Fraud and Abuse Act (CFAA) and SCA.  (I discussed the CFAA claim in this case in an earlier post.)  The SCA makes it an offense to intentionally access without authorization (or exceed one’s authorization to access) a “facility through which an electronic communication service is provided” and thereby obtain, alter, or prevent authorized access to a wire or electronic communication “while it is in electronic storage in such system.”

The company alleged that its computers are “facilities” because they enable the use of electronic communication services.  The court rejects that interpretation of “facilities.”  Information that an individual stores to his or her hard drive, such as images, personal information and emails that he or she has downloaded, is not in “electronic storage” as defined by the SCA.  The “facilities” the SCA is designed to protect are not computers that enable the use of an electronic communication service, but facilities operated by electronic communication service providers and used to store and maintain electronic storage.  The court dismissed the SCA claim.

(LegalTXT Note: This decision conflicts with a number of other federal district court decision that have held that private servers are within the scope of the SCA)

What is “electronic storage”?

Jennings v. Jennings, 2012 WL 4808545 (S.C. Oct. 10, 2012)

Gail Jennings initiated a divorce proceeding after discovering that her husband (Lee Jennings) was having an affair. Gail’s daughter-in-law (Broome) decided to help Gail by hacking into Lee’s Yahoo! email account to retrieve messages between him and his mistress.  In the lawsuit that followed, the trial court granted summary judgment for the defendants on all claims, including those brought under the SCA.  The court of appeals affirmed except as to the SCA claim against Broome.  The court of appeals found that the emails at issue were in “electronic storage” as defined in 18 U.S.C. § 2510(17), and therefore within the SCA’s prohibition against unauthorized accessing of an electronic communication while it is in “electronic storage.”

The South Carolina Supreme Court disagreed that the emails in questions were in “electronic storage.”  Part of the SCA’s definition of “electronic storage” involves storage of an electronic communication “by an electronic communication service for the purposes of backup protection of such communication.”   The emails in Lee’s account were left on the Yahoo! server after they were opened.  Keeping an email after opening it does not amount to storing it for “backup protection,” the court ruled.

Can there be secondary liability for violating the SCA?

Can a person have secondary liability for violating the SCA, such as by “aiding and abetting” a violation?  A Florida court suggests that the answer is yes, but the federal district court for the District of Columbia says no.

Vista Marketing, LLC v. Burkett, 2012 WL 3860435 (M.D. Fla. Sept. 5, 2012)

Plaintiff’s wife (Burkett) accessed the webmail account of Plaintiff’s company (Vista) to read Plaintiff’s emails so as to gain a strategic advantage in their divorce proceeding.  She did not have authorization to access the Vista email account.  Vista alleged that told her divorce attorney (Park) what she had done, and that Park encouraged Burkett to continue accessing Vista’s webmail account and advised her to compile and print many of the communications for use in the divorce proceeding.  Vista sued Park under Florida common law for conspiracy to violate the SCA.  Park moved to dismiss, but the court denied the motion, holding that Vista adequately alleged facts supporting the conspiracy claim.

Council on American-Islamic Relations Action Network, Inc. v. Gaubatz, 2012 WL 4054141 (D.D.C. Sept. 17, 2012)

Chris Gaubatz obtained an internship with a national Muslim advocacy organization (CAIR-AN) under false pretenses to infiltrate the organization and collect information that would cast the organization in a negative light.  Chris is the son of David Gaubatz, an investigator hired by the Center for Security Policy, Inc. (CSP) and the Society of Americans for National Existence (SANE) as an independent contractor to collect “field data” about CAIR-AN.  Chris was able to collect thousands of documents, which he turned over to David.  David disclosed the stolen information on his blog and in a book he co-authored.  CAIR-AN sued Chris and David, CSP and its employees, and SANE and its employees.  One of the claims in the lawsuit alleged that the Defendants “conspired with” or “aided and abetted” Chris in violating the SCA.

The court concluded that the text of the SCA did not support a theory of secondary liability.  According to the court, the SCA’s “plain language shows that Congress had one category of offenders in mind—i.e., those who directly access, or exceed their authority to access, a facility through which an electronic communication service is provided.”

(LegalTXT Note:  Although Vista Marketing discussed the SCA, the claim at issue there was based on Florida’s common law of conspiracy rather than the SCA itself.  In contrast, Gaubatz squarely involved an SCA claim.)

What’s the scope of “authorization”?

Is after-the-fact authorization effective?

Shefts v. Petrakis, 2012 WL 4049509 (C.D. Ill. Sept. 13, 2012)

There is an exception to the SCA’s prohibitions for conduct authorized by the entity providing the electronic communication service that was accessed.  But what if the authorization was provided after there has already been access?  Is authorization effective if it is given after the fact?

The answer is yes, according to the court in Shefts.  (Some of the facts relevant to the case are supplied by an earlier published decision, Shefts v. Petrakis, 758 F. Supp. 2d 620 (C.D. Ill. 2010).  Access2Go, Inc., a telecommunications company, initiated a program to monitor the email and texting activity of its president after learning of concerns that he was sexually harassing Access2Go employees and violating his fiduciary duties.  As part of the monitoring program, a shareholder and member of the Access2Go board of directors (Petrakis) accessed Shefts’ company email account.  The board appointed Petrakis as its liaison of security.  Petrakis collected emails allegedly showing Shefts engaged in sexually harassing behavior and other improper acts.  Based on this and other evidence, the board suspended Shefts and recommended his termination.

When Shefts sued the board members under the SCA, the board members countered that the company had authorized access to his email account.  Since Shefts’ company email account was maintained by and resided on Access2Go’s servers, Access2Go could legitimately authorize access to the account.  The question is, when did Access2Go give the authorization?  The board never voted to allow an employee to access another employee’s computer.  However, the board members were aware that Petrakis had accessed Shefts’ company email account, and they relied on the emails that Petrakis collected in suspending Shefts and recommending his termination.  Based on these facts, the court concluded that the board had “ratified” Petrakis’ actions, and such ratification qualified as “authorization” under the SCA.

You’re in, now what?

Cheng v. Romo, 2012 WL 6021369 (D. Mass Nov. 28, 2012)

Just because the owner of an email account gives you permission to access his account doesn’t mean you are “authorized” to read every email in there.  In Cheng, the plaintiff (Cheng) and the defendant (Romo) and her husband worked for a medical imaging company.  Cheng maintained a Yahoo! email account while working at the company, the password for which he shared with Romo.  Although Cheng never qualified Romo’s access to his email account in any way, never stated a time limit on his grant of access to Romo, and never changed his password during the relevant time, his purpose in sharing his email account was to enable Romo to review radiologic images for their work.  Romo testified that she would check Cheng’s email account to read consultant reports that radiologists emailed to Cheng.  Initially, Romo did not look at any personal items in Cheng’s email account.  But after Romo and her husband’s relationship with Cheng and others at the company deteriorated—leading ultimately to their separation from the company—Romo accessed Cheng’s account to find out about the state of the company.  Romo shared with her husband the emails she printed from Cheng’s account.  Cheng sued Romo for violations of the SCA and invasion of privacy under Massachusetts law.

The court denied Romo’s motion for summary judgment as to both claims.  Regarding the SCA claim, the court found genuine issues of material fact as to whether Romo had authorization to access Cheng’s email account.  The fact that Cheng had given Romo his password years earlier was not determinative, given the context in which the password was given and the later use that Romo made of it.  It was up to the factfinder to look at the circumstances in which the password was given and to determine whether Romo was authorized, or exceeded her authorization, to access Cheng’s email account, the court said.

As for the privacy claim, the court held that it was cognizable, but there were genuine issues of material fact concerning whether Cheng had a reasonable expectation of privacy in his email messages and whether Romo’s actions interfered with Cheng’s privacy.

(LegalTXT Note: The court in Cheng noted that the term “authorization” in the SCA could have analogous meaning as the same term in the CFAA.  The court summarized the different approaches court take in defining the term in the context of the CFAA, including those finding “authorization” where there was no breach of technical barriers to access, and those finding no “authorization” where permission to access was granted but the information collected via such access was misused (see my post on Wentworth-Douglass Hosp. v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), a case the Cheng court cites).  Ultimately, the court does not indicate which approach it adopts, although its summary judgment ruling suggests that it considers the purpose behind the grant of access, and not the mere grant of permission itself, relevant to determining the existence of authorization.)

California federal court finds no CFAA violation for disseminating software updates obtained from subscription to software support service, and requires fraud-based CFAA claims to be pled with particularity Oracle America, Inc. v. Service Key, LLC, 2012 WL 6019580 (N.D. Cal. Dec. 3, 2012).

Oracle, a supplier of enterprise hardware and software systems, was dealt a setback in its efforts to combat software piracy using the Computer Fraud and Abuse Act (CFAA).  Oracle customers can buy an annual contract for technical support services including the ability to download software updates from Oracle’s support websites.  Access to Oracle’s support websites requires a login and password, which are provided to purchasers of the optional support service.   Under the Terms of Use for the support websites, only users who have a support agreement with Oracle are authorized to receive software updates.

DLT was a member of the Oracle Partner Network (OPN), a program for third party companies interested in reselling Oracle hardware and software.  To facilitate their role as resellers, OPN members receive login-in credentials to access Oracle’s support websites.  Oracle alleged that DLT fraudulently used its access to obtain Oracle’s proprietary software patches and updates, which DLT then provided to its own customers.  Oracle further alleged that DLT gave its access credentials to Oracle’s websites to “unwitting third parties” (apparently including the Navy and FDA) who were unaware that DLT lacked authorization to do so.  Oracle sued DLT under numerous theories, including violations of the CFAA.

Certain CFAA claims alleged that DLT “exceed[ed] authorized access” in obtaining information from Oracle’s support systems.  The court agreed with DLT that dismissal of such claims was required under United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc).  In Nosal, an en banc panel of the Ninth Circuit ruled that misuse or misappropriation of information to which one has authorized access does not violate CFAA provisions based on access to a computer “without authorization or exceeding authorized access.”  Oracle’s complaint alleged that DLT used its access credentials for an unauthorized purpose (although Oracle apparently tried to distinguish Nosal by re-characterizing the complaint in subsequent briefing as alleging that DLT accessed Oracle’s websites without authorization).  That’s precisely the kind of conduct that Nosal said was not actionable under the CFAA, the court ruled.  However, DLT could still be liable under the CFAA for trafficking passwords to Oracle’s  support sites because such a claim is not based upon unauthorized access to a protected computer.

Oracle also ran into trouble with the requirement in Rule 9(b) of the Federal Rules of Civil Procedure that claims alleging fraud or mistake to be pled with particularity.  One of Oracle’s CFAA claims alleged that DLT “knowingly and with intent to defraud . . . exceed[ed] authorized access, and by means of such conduct further[ed] the intended fraud . . . .”  18 U.S.C. § 1030(a)(4).   The court concluded that the claim was “grounded” or “sounded” in fraud and thus subject to Rule 9(b).  Oracle did not adequately detail its fraud to meet the Rule 9(b) pleading requirement.

The one bright spot for Oracle in the decision was the court’s rebuff of DLT’s argument that Oracle did not properly allege damages.  Oracle alleged that it incurred costs as a result of investigating and conducting a damage assessment in response to DLT’s actions, and the court found that enough to satisfy the damage requirement.  The court also rejected a similar argument that Oracle did not sustain damages in excess of $5,000.  That argument referred to the fraud-based CFAA violation, an element of which is that the fraud resulted in the defendant obtaining “anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]”  18 U.S.C. § 1030(a)(4) (emphasis added).  The $5,000 threshold is not meant to be a measure of damages, the court held.  Rather, the threshold refers to the value of the computer use relevant in determining whether a CFAA violation exists.  In any event, the court said, Oracle did allege that DLT obtained something of value, i.e., its software.

LegalTXTS Lesson:  If you’re in the Ninth Circuit, recovery under the CFAA for illicit use or dissemination of proprietary computer information is a challenge.  Liability for hacking into a computer system is well-established, see Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), and so is giving away passwords to protected sites as the Oracle decision teaches.  Asking permission to access your work computer “one last time” to delete personal files before switching jobs and then downloading a bunch of proprietary data also will get you in trouble (see Weingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012), and my post on it here).

When it comes to misuse or misappropriation of information that was obtained with authorized access, however, Nosal makes it pretty clear that’s not a violation of the CFAA.  The Oracle decision follows that rule.  Other circuits, like the Third Circuit, go the opposite direction—hence decisions like Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), which held that it is a violation of the CFAA to induce employees of a competing company who have authorized access to the company’s computer system to download proprietary information and give it to you (see my post on it here).

Sutton v. Bailey, 2012 WL 5990291 (8th Cir. Dec. 3, 2012), is the latest reminder that private Facebook postings can lead to professional consequences.   Sutton was hired as a Funeral Science Director at Arkansas State University–Mountain Home for the 2010-11 academic year.  His employment contract provided that he could be terminated at any time “for adequate cause.”  A month after Sutton got hired (but apparently before he began teaching), he posted on his Facebook page: “Toby Sutton hopes this teaching gig works out.  Guess I shouldn’t have cheated through mortuary school and faked people out.  Crap!”

University officials somehow learned about the post and asked to meet with Sutton about it.  At the meeting, the university’s vice-chancellor (Bailey) and director of instruction (Thomas) confronted Sutton with the post.  He admitted to making the post.  Bailey then told Sutton that he was fired.  Sutton asked if it mattered that the statement was a joke, and that he posted the statement before he began teaching.  Baily replied “no” to both questions.  Sutton then received an Employee Counseling Statement form stating that he was being dismissed for an incident of “Academic Fraud and unprofessional conduct.”  The “Supervisor Statement” portion of the form explained: “Mr. Sutton posted material on Facebook indicating he had ‘cheated’ his way through mortuary school.  There are multiple other class related issues.”  Bailey told Sutton he had an opportunity to make a statement before signing the form.  Sutton declined and signed the form without further comment.  Sutton later sued Bailey and Thomas in their individual capacities, alleging that he was deprived of procedural due process in connection with his firing.

The bulk of the Eighth Circuit Court of Appeals’ opinion addressed the defendants’ defense of qualified immunity, which the court found to have merit.

LegalTXT Lesson: This case has two important, if obvious, takeaways.  First, employees need to remember that whatever content they share on their private social media networks could come back to haunt them professionally.  Employees need to be reminded constantly that social media blurs the line between personal and public, private and professional.

Second, Sutton answers a question I often get asked by employers: Can employees be disciplined or even terminated for their private social media conduct?  The answer is yes.  (For another example, read my post on the Careflite case, which recently settled).  There are limits, of course (and the NLRB Acting General Counsel has waxed long about many of them), but there are circumstances in which it is proper to discipline or terminate an employee for his or her private social media activity.  Now, it would help greatly if an employer sets standards of employee conduct clearly identifying the kinds of social media conduct that could lead to adverse employment action.  We don’t know what was in the employee handbook of the university in this case, but a rule that could’ve come in handy is one instructing faculty members not to endorse or make light of academic dishonesty.

An NLRB administrative law judge ruled on November 28 that a union did not engage in unlawful labor practices by failing to disavow threatening comments posted on its Facebook page.  In addition to finding that the Facebook page was not an extension of the picket line, the judge concluded that, under Section 230 of the Communications Decency Act (CDA), the union was not responsible for the comments posted on the page.  The case is Amalgamated Transit Union, Local Union No. 1433 v. Weigand, 28-CB-78377 (NLRB Nov. 28, 2012).   (Read the decision here)

A union representing public bus drivers went on strike.  Several months earlier, the union set up a Facebook page, which the union’s vice-president administered.  The union accepted “friend requests” only from union members in good standing.  Friends of the union Facebook page could see messages posted on the union’s “wall” and “like” such posts.

Shortly before and during the strike, union members posted comments on the union’s Facebook page threatening retaliation against workers who crossed the picket line.  The comments threatened less favorable union representation for those crossing the line, more aggressive reporting of workplace violations against line-crossers, and even violence.  Several comments suggested that line-crossers would be physically beaten.  Another comment announced the location where employer’s replacement drivers were allegedly being housed, to which a rank-and-file member commented: “Can we bring the Molotov Cocktails this time?”  At least one other union member “liked” this comment.

The NLRB Acting General Counsel issued a complaint alleging that the union violated Section 8(b)(1) of the Act by failing to disavow the threatening comments.  Rather than alleging that the members posting comments acted as the union’s agents, the Acting General Counsel relied on the theory that a union is responsible for the coercive acts of its pickets on a picket line when the union fails to take corrective action or disavow the actions.  The Acting General Counsel argued that the union’s Facebook page is an “electronic extension” of the picket line.

The judge rejected the “electronic extension” theory, noting initially that the Facebook page existed well before the picket line.  Moreover, unlike a picket line, a Facebook page does not force union members to make a public and immediate decision to cross the picket line.   The Facebook page did not serve to communicate a message to the public, as it is private in nature.

In a somewhat surprising twist, the judge further ruled that the CDA immunized the union from liability for the comments on its Facebook page–an argument neither side had raised.  Often invoked in online defamation cases, Section 230(c)(1) of the  CDA states that  “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided.”  The judge regarded the union as merely the “provider” of the Facebook page, not the “publisher or speaker” of the comments posted on the page by its rank-and-file members.  Thus, the union itself could not be held liable for the comments posted on the page.

Cyberbullying is a problem not just for students, but school workers as well (see my post on the R.S. v. Minnewaska Area School District No. 2149 case).  To address that problem, North Carolina recently passed a law banning students from bullying school workers online.  An expansion of North Carolina’s existing anti-bullying law, the 2012 School Violence Prevention Act is the first in the nation to make cyberbullying of school workers a crime.  The 2012 law criminally penalizes public school students who use a computer or computer network with “intent to intimidate or torment a school employee” by:

  • building a fake profile or web site
  • posting or encouraging others to post on the Internet private, personal, or sexual information about a school employee
  • posting a real or doctored image of a school employee on the Internet
  • tampering with a school employee’s online network, data, or accounts
  • using a computer system for repeated, continuing, or sustained electronic communications (including email) to a school employee

The new law also prohibits students from signing up school workers to pornographic websites or spam mailing lists, or making any statement, whether true or false, intending to provoke another person to stalk or harass a school worker.  The law went into effect on December 1.

The ACLU of North Carolina has criticized the law as overbroad, and announced plans to file a lawsuit challenging it.