Sunday, June 16, 2013

Unauthorized access to email results in verdict of $325K.

In the past, I have blogged about unauthorized access to social media and email accounts in the context of divorce. http://massfamilylawblog.blogspot.com/2012/12/can-you-spy-on-your-spouse-with.html and http://massfamilylawblog.blogspot.com/2012/10/spying-on-spouse.html. The danger of such spying is shown by a recent case of unauthorized access which resulted in a verdict of damages of $325,000.00.

In the case of Cheng v. Romo, (Civil Action No. 11–10007–DJC. U.S. Dist.Ct. MA) a civil lawsuit was filed under the federal Stored Communications Act 18 U.S.C. § 2701, et
seq. and the Massachusetts Privacy Act Mass. Gen. L. c. 214, § 1B. Cheng and Romo were doctors who worked together. Their employer did not provide email addresses so they used their private emails for work purposes. Cheng gave Romo his email password so she could access some documents that Cheng had received relating to their work. Romo used the password on several occasions at the time that Cheng gave her the password. For over four years, Romo did not access Cheng's email. However, when Romo was having problems with the empolyer and was contemplating leaving the company, she again accessed Romo's email account. When she accessed the email at this time, she did it for the purpose of obtaining information to help her in potential litigation and negotiations with the employer. Romo's access of the email was discovered when her lawyer produced emails from Cheng's account. A lawsuit followed for damages for the unauthorized access of the email account.

The facts of this case raised questions about interpretation of the Stored Communications Act. Once authorization is given for an email account, can it be limited? Does it have to be limited by express words? Can it be limited by the context of the grant of permission?

Based on jury verdict, it appears that a use exceeding authorization constitutes an unathorized use under the statute. Furthermore, the context can establish the scope of permission. In this case, permission was granted to access an email account for performing work and obtaining information necessary for performing a job function. When the account was accessed four years later, the purpose was to obtain information to harm the owner of the email account and the employer. This was not a proper purpose.

Unless there is a written document establishing the scope of authorization for another's email account, the scope of any authorization should be limited to access for the benefit of the account holder. Any intentional access to obtain information to the detriment of the account holder should be considered unauthorized. I consider intent as the critical element. If a person, in good faith, uses another's email account and happens across harmful information, that access would still be authorized. It is only when the intent is to cause harm that such access should be considered in violation of the computer access and privacy laws.

Applying the lessons of this case to my previous blog articles, I conclude that spying on a spouse or other by accessing their email violates these laws even if the password was freely given. This is true even if a shared computer is used or a computer that is owned by the person spying. Using the internet to spy on another or harm another can be very risky as this $325,000.00 verdict shows.

Before trying to harm someone by using their email or other accounts, you should consult a lawyer who can advise you on the law as it applies to your specific facts.



No comments:

Post a Comment