So I finally got around to reading the opinion in Anzaldua v. Northeast Ambulance & Fire Protection Dist. (8th Cir. 2015), where the Eighth Circuit Court of Appeals adopted a narrow interpretation of “electronic storage” under the Stored Communications Act (Title II of the Electronic Communications Privacy Act of 1986). It involves a situation that comes up with surprising frequency: Employee gets in trouble based on emails in a personal account; Employee then cries foul (pointing to the SCA or the Computer Fraud & Abuse Act) because the emails were obtained and shared with the employer without permission.
Anzaldua, a firefighter, alleged that his ex-girlfriend, acting as the defendant’s agent, impermissibly accessed his personal email account and forwarded two saved emails—one unsent draft and one stored in his “sent” folder. Anzaldua was fired based on the contents of these “inflammatory” emails.
To access Anzaldua’s account, his ex used his Gmail password, allegedly given to her previously for the limited purpose of forwarding his resume. (A draft email isn’t really a communication, so the email in the sent folder forms the nub of the opinion.)
The district court dismissed the case and denied the plaintiff’s request to amend the complaint, holding that the access was not “unauthorized” within the meaning of the SCA. On appeal, the Eighth Circuit disagreed, noting that the plaintiff had sufficiently alleged unauthorized access. Nonetheless, the panel unanimously affirmed the dismissal on different grounds, holding that the emails were not in “electronic storage” within the meaning of the SCA.
The Court reasoned that a copy of a sent email isn’t really saved “for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17). It did not rule out the possibility that a copy saved by the recipient’s service provider would constitute a stored communication, however. The opinion nominally strives to harmonize its interpretation with Theofel v. Farey-Jones (9th Cir. 359 F.3d 1066, 1072 (9th Cir. 2004) (Kozinski, J.) (applying principles of common law trespass to interpretation of the SCA); but I think that effort is disingenuous.
In my view, the Eight Circuit’s reasoning requires a tortured definition of “backup.” To me, the more expansive interpretation articulated by Chief Judge Kozinski in Theofel is intuitive, because the email, whether in the “sent” folder or another folder, is still literally a “stored communication.” Thanks to footnotes and parentheticals, I think we can read between the lines here: in light of post-SCA proliferation of email, the panel thought it was dumb to make a federal case out of every unauthorized use of an email account. (I would agree with that, but it still amounts to judicial activism.)
Regardless, to avoid SCA and similar issues, it’s important that companies create and enforce sensible personnel policies limiting access to personal accounts, as well as data retention policies. And everyone should periodically change passwords (or better yet, use 2-factor authentication) for their personal as well as professional accounts. That would have prevented this whole situation.