Sunday, October 13, 2013

Accessing Employee’s Personal E-Mails on Company-Issued Phone Exposes Employer to Liability Under Federal Stored Communications Act


Earlier this month, I posted an article on how employers could face liability under the federal Stored Communications Act (“SCA”) if they solicited Facebook “friends” to access an employee’s social media postings. 
According to a U.S. District Court in Ohio, employers also could face SCA liability for viewing an employee’s e-mails on a company-issued phone.
In Lazette v. Kulmatycki and Cellico Partnership d/b/a Verizon Wireless, 3:12-cv-2416 (JGC) (N.D. Ohio June 5, 2013), Sandi Lazette received a company-issued Blackberry from her employer, Verizon Wireless.  Lazette would send and receive business related e-mails on the device. She was told that she also could use the company-issued phone for personal e-mail so she linked the device to her personal G-mail account.

When she left the company in September 2010, she returned the company-issued phone to her supervisor, Chris Kulmatycki. She understood that Verizon would “recycle” the phone for use by another employee.  However, when Lazette returned the phone, she neglected to delete the access to her personal Gmail account.

Over the next 18 months, without Lazette’s knowledge or authorization, Kulmatycki accessed her G-mail and accessed approximately 48,000 of her e-mails, which included communications about her family, career, financials, health, and other personal matters.  Lazette subsequently filed suit against Verizon and her former supervisor under the SCA. 

The company sought to have the case dismissed on a number of grounds, including its argument that the supervisor’s access was “not” unauthorized because: (1) he used a company-owned Blackberry; (2) he did not access a “facility,” as the statute uses that term; and that (3) Lazette authorized Kulmatycki’s access because she had not expressly told him not to read her e-mails and that she implicitly consented to his access by not deleting her G-mail account. Not surprisingly, the District Court rejected Verizon’s argument:

Turning to the substance of defendants’ contentions, defendants, in effect, contend that plaintiff’s negligence left her e-mail door open for Kulmatycki to enter and roam around in for as long and as much as he desired . . . Whether viewed through the lens of negligence or even of implied consent, there is no merit to defendants’ attempt to shift the focus from Kulmatycki’s actions to plaintiff’s passive and ignorant failure to make certain that the blackberry could not access her future e-mail.

After the District Court denied Verizon and Kulmatycki’s motion to dismiss, the case settled in August 2013 before it went to trial.
In this particular case, it’s obvious that the supervisor’s actions were not authorized by Verizon and his stalker-like review of the plaintiff’s personal e-mails were not for any legitimate business purpose. 
Aside from the inherent creepiness and “ick factor” of the plaintiff’s former supervisor, this case highlights the need for employers to have very clear policies as to what level of privacy an employee can expect in their use of a company’s devices or when an employee uses a personal mobile device or computer on behalf of their employer. 
In years past, such policies would simply inform employees that they should have no expectation of privacy, and that the company device is the property of the employer and may be subject to monitoring.  However, with companies allowing more personal use of company devices or moving to the practice of “BYOD” or “bring Your Own Device” for use at work, the lines have gotten blurred.  As such, employers need to regularly review and update their handbook policies to address how technology is actually being utilized by employees.
In light of this case, a good internal practice would be for a company’s IT department to review all returned devices and ensure they are scrubbed of any personal information before being recycled to another employee.
Mark Fijman is a labor and employment attorney with Phelps Dunbar, LLP, which has offices in Louisiana, Mississippi, Florida, Texas, Alabama, North Carolina and London. To view his firm bio, click here. He can be reached at (601) 360-9716 and by e-mail at fijmanm@phelps.com.