Too Creepy to Win: Employer Access to Employee Email

Employee accesses her personal, web-based email account, such as G-Mail, from her employer’s computer. As a result, employer has access to the account. Employee resigns and sues the employer alleging unlawful discrimination, harassment, or other employment-related claim. May the employer lawfully access the emails sent by the employee that are now available via the employer’s computer?

It depends, of course. (You didn’t really think I was going to give you a straight yes or no, did you?)email_3

There are a number of factors that go into answering this question. And, although it’s tempting, I’m not going to discuss all of them here. Instead, I am going to discuss a case from a federal court in Ohio that involves some similar-and some different-facts with an important lesson for a holding.

The case is Lazette v. Kulmatycki. The employee-plaintiff, Lazette, alleged that she was issued a Blackberry by her employer, a Verizon affiliate. Lazette claimed that she was permitted to use the phone to access both her work and personal email accounts. She alleged that, at the end of her employment, she turned the phone in to her supervisor, defendant Kulmatycki. At that time, she believed she had disconnected access to her personal G-Mail account.

As it turns out, claims Lazette, she hadn’t. And, for the next 18 months, her former supervisor read “48,000 emails” sent to Lazette’s G-Mail account.

Yikes.

Lazette, not surprisingly, sued the supervisor and her former employer for a variety of privacy-related claims. Somewhat surprisingly, at least to me, the employer moved to dismiss the claims. A motion to dismiss, at least ’round these parts, is a tough motion to win. The standard is very much in the plaintiff’s favor and, unless there’s really nothing in the complaint that resembles a valid claim, the court is likely to deny a motion seeking dismissal prior to discovery.

But that’s what the employer did. As a result, we get the benefit of the court’s analysis of a question not often addressed in written decisions.

The most interesting part of the analysis to me is the part discussing the plaintiff’s Stored Communications Act (SCA) claim. The plaintiff asserted that the supervisor and employer violated the SCA when the supervisor accessed the plaintiff’s personal email without authorization.

Although the SCA is a tremendously complicated statute that has been interpreted in more ways than I can count, it seems to easily apply to the facts alleged here. In the simplest terms, the SCA is violated when an individual accesses without authorization an electronic communication in storage.

Surely the employee’s emails constitute electronic communication. Surely they were in storage-the complaint did not allege that the defendants intercepted the emails while they were being transmitted. The complaint alleges that the supervisor read the emails once they’d reached the plaintiff’s G-Mail account. So the question, then, is whether the supervisor was an “authorized user” under the statute.

Folks, let me offer a humble thesis here. If it sounds “bad,” meaning that it is likely to give most people the creeps, the courts will apply the law to remedy that bad act. In other words, a defense of “but the law does not prohibit me from being a slimy character” should be a defense of last resort.

Now, don’t get me wrong-that was not the defense asserted in this case. But it was close. In their motion to dismiss, the defendants argued that the supervisor was “authorized” to access Lazette’s email account because, for example, she failed to properly delete the account from her phone before turning it in. They also argued that she failed to tell them not to access her personal emails during the 18 months following the end of her employment.

Both of these constitute what I like to call a “blame-the-victim” defense. This, too, should be considered a defense of last resort.

At the end of the day, the court was faced with allegations (which the court, at this stage, must take as true), that an employee’s former supervisor essentially spying on the former employee by reading her personal email without her knowledge or consent. And he did so for a year and a half.

It’s creepy. It may not be true. But, as pleaded, it sounds creepy. With allegations like this, it’s hard to imagine that a motion to dismiss would be successful. And it wasn’t.

Now, that doesn’t mean that the employer is lost at sea. The employee still must prove damages, for example. Oh, wait, no it doesn’t. Even if the plaintiff cannot prove actual damages and, therefore, is not entitled to recover statutory damages, she may still be entitled to an award of punitive damages. At least that’s what the Fourth Circuit held in 2009 in Van Alstyne v. Electronic Scriptorium, Ltd., when it upheld an award of punitive damages to an employee whose former employer accessed the employee’s AOL account in search of evidence in defense of the employee’s harassment lawsuit.

I’m all for silver linings but they may be difficult to find in this case.  Just remember, if the alleged conduct gives you the creeps, it’s probably a good idea to consider whether settlement discussions aren’t in order.

Lazette v. Kulmatycki, No. 12-2416 (N.D. Ohio June 5, 2013).

See also

Lawful Employer Investigations of Facebook . . . Sort Of

Employers, Facebook, and the SCA Do Not a Love Triangle Make

Contact Information