Ogletree Deakins Ogletree Deakins
Home > Insights & Resources > Blog Posts > Think Before You Click: Employers Could Violate Federal Law by Reading Employee Emails

Think Before You Click: Employers Could Violate Federal Law by Reading Employee Emails

By Michael L. Matula and Alexandra G. Widick
Download PDFPrintShare

The federal Stored Communications Act (SCA) protects the privacy of personal emails and social media accounts that employees may access with company-owned devices. It provides for both civil and potentially criminal penalties for violations.

Quick Hits

  • The federal Stored Communications Act prohibits employers from reading an employee’s personal emails and messages stored on third-party servers or networks.
  • An employee or former employee might accidentally or unknowingly leave open apps or accounts with access to personal messages on a company-issued device.
  • Employers need to balance workers’ privacy rights with business needs and company policies.

Typically, when an employee voluntarily quits or is fired, the employer collects any laptops, phones, tablets, or other equipment owned by the employer. Employees often create bookmarks or links on these company-owned devices to their own email or other personal accounts. But what if at the time of termination an employee has inadvertently left open some personal accounts, such as email, texting apps, or social media apps, or has saved passwords that auto-populate, thus allowing access to those accounts?

Especially in situations where litigation may be foreseeable, it may be tempting for a manager to look at who the employee had been recently communicating with or otherwise look for information that might be of interest or potentially helpful to the employer in a lawsuit. Tempting as this might be, doing so may be illegal under the SCA.

Generally, employers can legally read emails sent with a company email account and monitor activity saved on company-owned devices, shared drives, and networks. Many employers have written policies governing acceptable uses for computers and phones, requiring employees to give consent for monitoring and acknowledge that they have no expectation for privacy. Some policies require security measures, such as encryption and passwords.

However, employers generally cannot read an employee’s personal emails, texts, and social media posts without the employee’s consent, even if access can be found via a company-owned device. The SCA protects the privacy of electronic files stored by service providers and records held about the subscriber by service providers, such as subscriber name, billing records, and IP addresses. This includes personal email accounts stored on a third-party server, text messages saved on a carrier’s system, and files stored in cloud services.

Specifically, the SCA prohibits the intentional, unauthorized access of a “facility through which an electronic communication service is provided” to obtain access to an electronic communication while in electronic storage. With technology constantly evolving, courts are trying to pinpoint what qualifies as a “facility” under the law. Significantly, the “facility” is the server or network operated by the service provider, not the phone, laptop, or tablet a person uses to view the stored content.

For example, while a link in a web browser on a company computer may be company property, the data on the other end of that link (e.g., an employee’s personal email messages in a private account) may not be company property.

Relevant Cases

A few relevant cases shed light on the liability that employers may face.

In Pure Power Boot Camp v. Warrior Fitness Boot Camp, the plaintiffs sought an injunction against the defendants for allegedly (1) stealing the plaintiffs’ business model, customers, and internal documents; (2) breaching employee fiduciary duties; and (3) infringing on the plaintiffs’ trademarks and copyrights. The owner of the plaintiff corporations accessed thirty-four of a defendant’s personal emails after login credentials automatically populated on a former employer’s computer, and further accessed two additional accounts due to shared credentials and information gleaned from emails on the first account accessed. The defendants did not assert a SCA counterclaim, but moved to preclude use of these emails in the litigation. In December 2010, the U.S. District Court for the Southern District of New York found that accessing the personal emails would have violated the SCA, as the plaintiff corporations’ owner was not authorized to access the emails on the personal accounts and sanctioned the plaintiffs under its inherent authority and recommended that the emails be precluded from use in the litigation.

Similarly, in May 2016 in Levin v. Impact Office, a marketing representative sued an office supply company under the SCA, alleging the company accessed her personal emails forty times without consent after she left the job. Although she deleted all emails stored on a company-owned phone before she returned it, she claimed the company arranged to forward her personal emails (allegedly including emails with her attorney) from a third party’s servers to the company’s lawyer.

The office supply company argued that opened emails are not in “electronic storage” as defined by SCA. However, in July 2017, the U.S. District Court for the District of Maryland concluded that the plaintiff was not required to claim the emails were unopened to support an SCA claim. The court found that the SCA protects opened emails that are stored for backup purposes.

Meanwhile, in 2022 in Benz v. PHB Realty Company, an administrative assistant sued a real estate company for violating the SCA and invasion of privacy. She had used her personal email account and personal laptop to email a colleague about a potential job opening at a new business. Then she discovered that someone had accessed her work computer when she was not in the office and logged into her personal email account and social media platforms. The company fired the employee shortly afterwards, citing her conversations about a new job as cause. In August 2022, the U.S. District Court for the District of Kansas denied the company’s motion to dismiss the SCA claim. The case settled shortly thereafter.

Next Steps

Employers may wish to train managers to understand and comply with federal and state privacy laws regarding accessing an employee’s emails and other stored content. They may also wish to exercise caution before taking disciplinary actions based on information in an employee’s personal emails or other stored content.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will provide updates on the Cybersecurity and Privacy blog as new information becomes available.

Michael L. Matula is a shareholder in Ogletree Deakins’ Kansas City office.

Alexandra Widick is an associate in Ogletree Deakin’s Kansas City office.

This article was co-authored by Leah J. Shepherd, who is a writer in Ogletree Deakins’ Washington, D.C., office.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Authors

Michael L. Matula Profile Image
Michael L. Matula
Office Managing Shareholder, Kansas City
Alexandra G. Widick Profile Image
Alexandra G. Widick
Associate, Kansas City

Topics

Cybersecurity and Privacy

Browse More Insights

Podcasts Seminars Webinars
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now