Supplying Smartphone to Staff Member: Can Board or Manager Read His E-mail?

Aug. 9, 2013Sandi Lazette worked for Verizon, with Chris Kulmatycki as her supervisor. Upon leaving her job, she handed in her company BlackBerry. Eighteen months later, in May 2012, she learned that her old boss had been using the device to read her personal emails – some 48,000 messages – on her Gmail account. Lazette sued, alleging, among other things, that, "Kulmatycki disclosed the contents of some of the e-mails to others."

Of the five claims brought by plaintiff in this proceeding, the one that interests us the most concerns the Stored Communications Act (SCA). The relevant section of the SCA provides that:

      (a) Offense. Except as provided in subsection (c) of this section whoever

          (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or

          (2) intentionally exceeds an authorization to access that facility;

      and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system shall be punished…

Kulmatycki and his co-defendents had a series of arguments prepared as to why the case should be dismissed. First, they tried to argue that the SCA should not apply to them, as it was intended only for "high-tech" criminals, such as computer hackers. Unsurprisingly, the court did not buy this argument, noting the language of a Michigan case from the year 2000: "The provisions of section 2701 of the Act apply to persons or entities in general and prohibit intentional accessing of electronic data without authorization or in excess of authorization."

Three Reasons

Next, they argued that Kulmatycki was authorized to access plaintiff's e-mails for three reasons. First, they said, Lazette was using a company-owned BlackBerry. The court didn't find this persuasive at all, easily drawing a distinction between the facts in this case and those of the cases the defendants cited, which all involved the use of a shared computer. Here, the use of the device was unilateral. "Indeed," the court wrote, "when Kulmatycki accessed e-mail sent to plaintiff, she was not able to use the blackberry to do likewise." 

Secondly, the defendants said Kulmatycki he did not access a "facility," as the statute uses that term. This is a little confusing – the defendants seem to be arguing that the BlackBerry, the device itself, was a facility, but the emails it accessed were not. The court disagreed, finding that "the 'electronic communications service' resided in the Gmail server, not on the BlackBerry," and the Gmail server, not the BlackBerry, was the "facility."

Thirdly, the defendants said Lazette authorized Kulmatycki's access because she had: a) not expressly told him not to read her e-mails; and b) implicitly consented to his access by not deleting her Gmail account.

Negligence is not the

same as approval,

much less authorization.

Lazette had deleted her emails before returning the phone, but apparently had left the Gmail account open, and that's what allowed Kulmatycki access. The defendants claimed this was Lazette's negligence, and so they could not be held liable. The court found this to be "an unacceptable reading of [the SCA], which prohibits "access without authorization[.]"

Additionally, the court observed that negligence is not the same as approval, much less authorization: "There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone be stopping by."

Electronic Storage

The next argument was also based on statutory language, and claimed that the "e-mails were not in electronic storage when Kulmatycki read them." Now, the complicated classification of storage in the context of e-mail is complicated. This court's analysis is equally confusing:

E-mails which an intended recipient has opened may, when not deleted, be "stored," in common parlance. But in light of the restriction of "storage" in [the statute] solely for "backup protection," e-mails which the intended recipient has opened, but not deleted (and thus which remain available for later re-opening) are not being kept "for the purposes of backup protection."

The court basically used this to limit the e-mails in dispute to just those which Kulmatycki opened before Lazette did.

Finally, co-defendant Verizon argued it should be dismissed from the case since, under the SCA, the "person or entity providing a wire or electronic communications service" is exempt from punishment. The court disagreed, saying Lazette had done enough to establish that Kulmatycki acted while within the scope of his employment.

If you're a condo or co-op board employing staff, or a building manager acting as an agent of the board, hopefully this case has emphasized the importance of thoroughly erasing all personal data from devices once they're returned.

 

Samir Mathur is a Florida attorney and the managing director of IT-Lex, a nonprofit charitable organization dedicated to educational, literary, and scientific advancement in the field of technology law. This is adapted from his post on the organization's website.

 

For more, see our Site Map or join our Archive >>

Subscribe

join now

Got elected? Are you on your co-op/condo board?

Then don’t miss a beat! Stories you can use to make your building better, keep it out of trouble, save money, enhance market value, and make your board life a whole lot easier!