Samir Mathur in Board Operations on August 9, 2013
Of the five claims brought by plaintiff in this proceeding, the one that interests us the most concerns the Stored Communications Act (SCA). The relevant section of the SCA provides that:
(a) Offense. Except as provided in subsection (c) of this section whoever
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains . . . access to a wire or electronic communication while it is in electronic storage in such system shall be punished…
Kulmatycki and his co-defendents had a series of arguments prepared as to why the case should be dismissed. First, they tried to argue that the SCA should not apply to them, as it was intended only for "high-tech" criminals, such as computer hackers. Unsurprisingly, the court did not buy this argument, noting the language of a Michigan case from the year 2000: "The provisions of section 2701 of the Act apply to persons or entities in general and prohibit intentional accessing of electronic data without authorization or in excess of authorization."
Three Reasons
Next, they argued that Kulmatycki was authorized to access plaintiff's e-mails for three reasons. First, they said, Lazette was using a company-owned BlackBerry. The court didn't find this persuasive at all, easily drawing a distinction between the facts in this case and those of the cases the defendants cited, which all involved the use of a shared computer. Here, the use of the device was unilateral. "Indeed," the court wrote, "when Kulmatycki accessed e-mail sent to plaintiff, she was not able to use the blackberry to do likewise."
Secondly, the defendants said Kulmatycki he did not access a "facility," as the statute uses that term. This is a little confusing – the defendants seem to be arguing that the BlackBerry, the device itself, was a facility, but the emails it accessed were not. The court disagreed, finding that "the 'electronic communications service' resided in the Gmail server, not on the BlackBerry," and the Gmail server, not the BlackBerry, was the "facility."
Thirdly, the defendants said Lazette authorized Kulmatycki's access because she had: a) not expressly told him not to read her e-mails; and b) implicitly consented to his access by not deleting her Gmail account.
Negligence is not the
same as approval,
much less authorization.
Lazette had deleted her emails before returning the phone, but apparently had left the Gmail account open, and that's what allowed Kulmatycki access. The defendants claimed this was Lazette's negligence, and so they could not be held liable. The court found this to be "an unacceptable reading of [the SCA], which prohibits "access without authorization[.]"
Additionally, the court observed that negligence is not the same as approval, much less authorization: "There is a difference between someone who fails to leave the door locked when going out and one who leaves it open knowing someone be stopping by."
Electronic Storage
The next argument was also based on statutory language, and claimed that the "e-mails were not in electronic storage when Kulmatycki read them." Now, the complicated classification of storage in the context of e-mail is complicated. This court's analysis is equally confusing:
E-mails which an intended recipient has opened may, when not deleted, be "stored," in common parlance. But in light of the restriction of "storage" in [the statute] solely for "backup protection," e-mails which the intended recipient has opened, but not deleted (and thus which remain available for later re-opening) are not being kept "for the purposes of backup protection."
The court basically used this to limit the e-mails in dispute to just those which Kulmatycki opened before Lazette did.
Finally, co-defendant Verizon argued it should be dismissed from the case since, under the SCA, the "person or entity providing a wire or electronic communications service" is exempt from punishment. The court disagreed, saying Lazette had done enough to establish that Kulmatycki acted while within the scope of his employment.
If you're a condo or co-op board employing staff, or a building manager acting as an agent of the board, hopefully this case has emphasized the importance of thoroughly erasing all personal data from devices once they're returned.
Samir Mathur is a Florida attorney and the managing director of IT-Lex, a nonprofit charitable organization dedicated to educational, literary, and scientific advancement in the field of technology law. This is adapted from his post on the organization's website.
For more, see our Site Map or join our Archive >>