Employees regularly use their employer's computer systems to plan their exits and organization of competitive entities or efforts. Employers, desirous of taking immediate action to protect their legitimate business interests, must be careful when investigating the former employee's conduct, including his computer activity, so they don't violate any justifiable expectation of privacy an employee may enjoy, otherwise the employer might find itself on the wrong side of a lawsuit, as did the employer in the following reported case.
Alexander Fell ("Fell") was hired by Lauren Brenner ("Brenner"), the principal and owner of Pure Power Boot Camp ("PPBC"), one of the plaintiff corporations ("Plaintiffs"), in August of 2005. Fell worked at PPBC, a physical fitness center, until March 16, 2008, when Brenner fired him. Shortly thereafter, Fell, together with Rubin Belliard ("Belliard"), another former employee, opened a competing fitness center, Warrior Fitness Boot Camp ("WFBC").
After Fell and Belliard left PPBC, Brenner, on April 28, 2008, and for a week thereafter, accessed and printed e-mails from three of Fell’s personal accounts, including a Hotmail account.
The e-mails provided a detailed picture of Fell’s and Belliard’s efforts to set up WFBC before they left PPBC, including e-mails which evidenced a dramatic expansion of WFBC’s customer list, and included a large number of former PPBC clients and their e-mail addresses, which Plaintiffs relied upon to show that Belliard stole PPBC’s client list. Plaintiffs have relied heavily upon the e-mails and have considered them critical to their case.
Brenner stated that she was able to access Fell’s Hotmail account because he left his username and password information stored on PPBC’s computers, such that, when the Hotmail website was accessed, the username and password fields were automatically populated. Fell admitted that he accessed his Hotmail account while at work at PPBC, which is how his username and password came to be stored on PPBC's computers; however, Fell stated in an affidavit that all of the e-mails were drafted or received on his own home computer, and claimed that he never did any work related to WFBC while he was at PPBC or on PPBC computers.
PROCEEDINGS
Plaintiffs brought this action seeking an injunction and damages, accusing Fell, Belliard and WFBC (collectively, the "Defendants") of (1) stealing Plaintiffs’ business model, customers, and internal documents, (2) breaching employee fiduciary duties, and (3) infringing Plaintiffs’ trademarks, trade-dress, and copyrights. This article only discusses Defendants’ motion to preclude the use or disclosure of 34 of Fell’s e-mails, obtained by Brenner, claiming, among other things, violation of the Stored Communications Act ("SCA").
THE STORED COMMUNICATIONS ACT
The Stored Communications Act ("SCA"), part of the Wiretap Act, provides in part:
(a) Offense.-Except as provided in subsection (c) of this section whoever-
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished as provided in subsection (b) of this section. (emphasis added).
The SCA "aims to prevent hackers from obtaining, altering or destroying certain stored electronic communications." Thus a person violates the SCA if he accesses an electronic communication service, or obtains an electronic communication while it is still in electronic storage, without authorization. "Electronic storage," defined in an earlier part of the Wiretap Act is: "(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication ..." The majority of courts which have addressed the issue have determined that e-mail stored on an electronic communication service provider’s systems after it has been delivered, as opposed to e-mail stored on a personal computer, is a stored communication subject to the SCA.
In this case, Brenner obtained Fell’s username and password to his Hotmail account because he left that information stored on Plaintiffs’ computers. Brenner then used that information to go into Fell's Hotmail account, and read and printed his e-mails. Some of those e-mails may have been read by Fell while he was at work, but there is no evidence indicating which e-mails he may have viewed on PPBC's computers, and there was no evidence that the e-mails were downloaded onto PPBC’s computers.
In any event, Brenner did not use an examination of PPBC’s computer’s memory to determine what Fell accessed at work. Instead, she logged directly onto Microsoft’s Hotmail system where the e-mails were stored, and viewed and printed them directly off of Hotmail’s system.
Thus, Brenner accessed an electronic communication service, and she obtained Fell’s e-mails while they were in storage on those service providers’ systems. Either of those actions, if done without authorization, would be a violation of the SCA.
Plaintiffs argued that Brenner was authorized to view and print Fell’s e-mails, and asserted two theories in support of this position. First, Plaintiffs claimed that PPBC’s e-mail policy put Fell on notice that his e-mails could be viewed by Brenner, and thus he had no expectation of privacy in his Hotmail account. Defendants responded by denying that Fell gave PPBC, or any of its agents or employees, authorization to access his e-mail accounts.
PPBC’s Employee Handbook explicitly addressed e-mail access on company computers:
"e-mail users have no right of personal privacy in any matter stored in, created on, received from, or sent through or over the system. This includes the use of personal e-mail accounts on Company equipment. The Company, in its discretion as owner of the E-Mail system, reserves the right to review, monitor, access, retrieve, and delete any matter stored in, created on, received from, or sent through the system, for any reason, without the permission of any system user, and without notice." (emphasis added)
An additional part of the policy stated: "Internet access shall not be utilized for shopping or for conducting other transactions or personal business matters."
The Court was of the opinion that Plaintiffs’ position was not supported by PPBC’s policy. PPBC’s e-mail policy – the basis of Plaintiffs’ defense – was, by its own terms, limited to "Company equipment." The reservation of rights was explicitly limited to "any matter stored in, created on, received from, or sent through [PPBC’s] system." Therefore, it could not apply to e-mails on systems maintained by outside entities such as Microsoft or Google. In addition, there was no evidence that the e-mails in issue were created on, sent through, or received from PPBC’s computers.
This is not a case where an employee was using an employer’s computer or e-mail system, and then claimed that the e-mails contained on the employer’s computers were private. Here, the employee – Fell – did not store any of the communications which PPBC sought to use against him on PPBC’s computers, servers, or systems; nor were they sent from or received on PPBC’s e-mail system or computer. These e-mails were located on, and accessed from, third-party communication service provider systems. There wasn’t even an implication that Fell’s personal e-mail accounts were used for PPBC work, or that PPBC paid or supported Fell’s maintenance of those accounts, which served as a back-up for work related communications.
Furthermore, there is nothing in the PPBC policy that even suggested that if an employee simply views a single, personal e-mail from a third party e-mail provider, over PPBC computers, then all of the his personal e-mails on whatever personal e-mail accounts he uses, would be subject to inspection. In short, the facts of ths case are distinguishable from those cases which hold that employees have no expectation of privacy in e-mails sent from or received and stored on the employer’s computers.
Here, Fell had a subjective belief that his personal e-mail accounts, stored on third-party computer systems, protected (albeit ineffectively) by passwords, would be private. That expectation of privacy was also reasonable, as nothing in PPBC’s policy suggests that it could extend beyond Plaintiffs’ own systems, and beyond the employment relationship. Furthermore, there is no evidence that PPBC’s policy was clearly communicated to its employees, or that it was consistently enforced in a manner that would have alerted employees to the possibility that their private e-mail accounts, such as Hotmail, could also be accessed and viewed by their employer.
Second, Plaintiffs argued that even if he had an expectation of privacy, by leaving his username and password on PPBC’s computers, gave Brenner implied consent to access his accounts. The Court rejected this argument on the basis that carelessness does not equal consent, that implied consent, at a minimum, requires clear notice that one’s conduct may result in a search being conducted of areas which the person has been warned are subject to search.
In this case, Fell only had notice that PPBC’s computers could be searched for evidence of personal e-mail use, not that his Hotmail account would also be searched. He was also never given the opportunity to refuse Brenner any authorization to search his e-mails. At most, the Court stated, one could argue that Fell have consented to Brenner viewing his password. But he did not consent to her to using it. Absent clear knowledge of the extent of what could be searched, and the opportunity to refuse or withdraw his consent, the Court rejected Plaintiffs’ argument that Fell gave implied consent to Brenner to search his Hotmail account simply by leaving his password on PPBC’s computer.
CONCLUSION
The Court concluded that Brenner’s unauthorized access to Fell’s Hotmail account violated the SCA and Fell’s privacy. While Fell arguably "authorized" access to any e-mails which he viewed and saved on PPBC’s computers, Brenner was not authorized to access those e-mails directly from Fell’s Hotmail account. Plaintiff’s were thus precluded from using the e-mails in the litigation, thus more than likely severely damaging their case. Brenner should have confined her investigation to PPBC’s network and obtained other critical e-mails during the discovery process.
As of this date Fell has not countersued Brenner under the SCA where he will be able to obtain attorneys’ fees and punitive damages, even if he is liable for unfair competition.
*****
We regularly track unfair competition cases and issues related thereto as a part of our business litigation practice. Please do not hesitate to contact us if you have any questions about the discussed case, the SCA, reasonable expectations of privacy in the workplace, or breach of fiduciary duty issues.