Circuit Split on Scope of Stored Communications Act
So I finally got around to reading the opinion in Anzaldua v. Northeast Ambulance & Fire Protection Dist. (8th Cir. 2015), where the Eighth Circuit Court of Appeals adopted a narrow interpretation of “electronic storage” under the Stored Communications Act (Title II of the Electronic Communications Privacy Act of 1986). It involves a situation that comes up with surprising frequency: Employee gets in trouble based on emails in a personal account; Employee then cries foul (pointing to the SCA or the Computer Fraud & Abuse Act) because the emails were obtained and shared with the employer without permission.
Anzaldua, a firefighter, alleged that his ex-girlfriend, acting as the defendant’s agent, impermissibly accessed his personal email account and forwarded two saved emails—one unsent draft and one stored in his “sent” folder. Anzaldua was fired based on the contents of these “inflammatory” emails.
To access Anzaldua’s account, his ex used his Gmail password, allegedly given to her previously for the limited purpose of forwarding his resume. (A draft email isn’t really a communication, so the email in the sent folder forms the nub of the opinion.)
The district court dismissed the case and denied the plaintiff’s request to amend the complaint, holding that the access was not “unauthorized” within the meaning of the SCA. On appeal, the Eighth Circuit disagreed, noting that the plaintiff had sufficiently alleged unauthorized access. Nonetheless, the panel unanimously affirmed the dismissal on different grounds, holding that the emails were not in “electronic storage” within the meaning of the SCA.
The Court reasoned that a copy of a sent email isn’t really saved “for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17). It did not rule out the possibility that a copy saved by the recipient’s service provider would constitute a stored communication, however. The opinion nominally strives to harmonize its interpretation with Theofel v. Farey-Jones (9th Cir. 359 F.3d 1066, 1072 (9th Cir. 2004) (Kozinski, J.) (applying principles of common law trespass to interpretation of the SCA); but I think that effort is disingenuous.
In my view, the Eight Circuit’s reasoning requires a tortured definition of “backup.” To me, the more expansive interpretation articulated by Chief Judge Kozinski in Theofel is intuitive, because the email, whether in the “sent” folder or another folder, is still literally a “stored communication.” Thanks to footnotes and parentheticals, I think we can read between the lines here: in light of post-SCA proliferation of email, the panel thought it was dumb to make a federal case out of every unauthorized use of an email account. (I would agree with that, but it still amounts to judicial activism.)
Regardless, to avoid SCA and similar issues, it’s important that companies create and enforce sensible personnel policies limiting access to personal accounts, as well as data retention policies. And everyone should periodically change passwords (or better yet, use 2-factor authentication) for their personal as well as professional accounts. That would have prevented this whole situation.
Good catch. The Stored Communications Act sure leads to some funny cases; it is a tremendously overbroad law meant to catch malicious “hackers”; but with little difference in kind between what hackers do and more “routine” violations of digital boundaries or trust, plus growing prevalence of digital activities in our everyday lives, we are sure to see more frequent attempts to apply the Act — with bewildering results. The situation is not helped at all by the squishiness of terms like “unauthorized”, “access”, “communications”, “stored”, or “for the purposes of”, as is illustrated nicely by the circuit split you point out. (The Computer Fraud and Abuse Act embodies similar ambiguities leading to similarly questionable and arbitrary outcomes such as, e.g., US v. Morris, 928 F.2d 504, where exceeding authorized access was shoehorned into “unauthorized access” for the purposes of convicting Robert Morris for the “Internet Worm” — perhaps rightfully. But it’s not clear that we really want the mere exploitation of a software vulnerability — perhaps innocently — to invoke the CFAA).