Employer Liability for Accessing Employee’s E-Mails

When a former employee sues his former employer, an immediate issue of concern is how to preserve all electronically stored information (ESI) that may be relevant to the claim. Failure to do so may result in a claim of spoliation, sanctions against the employer and its legal counsel, or even an adverse ruling. Good employment counsel understands these consequences and how to avoid them in the first instance.

One of the most common steps is to have the employee’s computer forensically imaged by an expert. The expert will also preserve the employee’s company e-mail account. But this does not address the possibility that the employee may have sent e-mails from his work computer via a web-based e-mail service, such as Yahoo or G-mail. The law is not clear on this point and the defensibility of this practice can vary depending on the content of the e-mails—which, of course, the employer will not know until it looks.

There are several laws that employers risk violating by accessing an employee’s “personal” or web-based e-mail account. The federal Stored Communications Act is one such law and is the one that seems to result in more liability than others. A decision from late last year provides a recent example.

In Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, two employees prepared to open a competing fitness center with their then-employer. One of the employees quit and the other was fired. After the second employee was terminated, the employer accessed and printed emails from his web-based e-mail accounts. Although it was a disputed issue, the employer claimed that the employee had saved his username and password to the employer’s computer system.

The employer filed suit in New York state court to enforce a non-compete agreement and prevent the employees from opening their competing business. The court denied the request for an injunction and the employees removed the case to federal court, where they brought a counter-claim against the employer based on the allegedly improper access of the e-mails. At the request of the employees, the court ordered the employer to return all e-mails and prohibited their use in the case.

The court’s decision was based on its finding that the employer’s access of the employee’s emails violated the Stored Communications Act (SCA), which prohibits unauthorized access of e-mail correspondence that has been saved or stored once sent (among other things). The employees were awarded damages in the relatively small amount of $4,000 but I’m sure this felt like anything but a victory for the employer. The employer contended that it had done nothing wrong even if it had accessed the e-mails—they were, after all, stored on the employer’s computers, along with the username and password to access them. Worse yet, the e-mails supported the employer’s claim that the employees had been preparing to compete during their employment and had gone on to open a competing business.

The lesson from this case and the others like it is to be extremely cautious when deciding whether you may lawfully access an employee’s personal e-mails. Additionally, employers should revisit their computer-usage policies to make sure that the language is crystal clear that employees should not expect that their use of company computers will be considered private—including all Internet activity and, specifically, web-based e-mail accounts to the extent they are accessed via the employer’s computer.

Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, No. No. 08 Civ. 4810 (THK) (S.D.N.Y. Dec. 22, 2010).

[Thanks to Venkat and his post on the Technology and Marketing Law Blog for bringing this case to my attention.]

Updated:

One response to “Employer Liability for Accessing Employee’s E-Mails”

  1. ACU Frank says:

    Our Electronic Communications Policy – signed by each employee at the time of hire and annually thereafter – is crystal clear concerning the absolute lack of privacy for e-mails. My concern is whether we can expect that policy to hold up if we scrutinize e-mails from personal accounts. Our policy says we can – does that make it so?

Contact Information