Look, But Don't Log In

You are in-house counsel at a public company and you suspect an employee may be leaking inside information. You decide to conduct an internal investigation. A computer forensic analysis reveals that the employee has accessed his personal Web-based e-mail account from his company computer and that his login information (user name and password) has been recovered from the computer's memory. Can you log in to the account and read his personal e-mail?

Unlike an employer's internal e-mail system, which is generally understood to be under the ownership and control of the employer, personal Web-based accounts accessed at work raise new and unsettled questions about an employee's expectations of privacy. A computer that accesses a Web-based account ' such as an e-mail account, social-networking Web site, or Instant Messaging service ' merely provides a window into an account that is physically stored elsewhere. Information viewed or created using a company computer may be accessible without logging in to the account by accessing temporary Internet files on the company's computer, and is therefore arguably fair game to review. Other information in the account that was not viewed or created from a company computer, however, is likely only accessible by logging in and exploring the Web-based account. How far can you go?

Liability under the
Stored Communications Act

A significant risk faced by companies that exceed authorized access to an employee's Web-based account is liability under the Stored Communications Act (“SCA”). The SCA creates a criminal offense and civil liability for whoever “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. '2701. The SCA has been used to prosecute e-mail hackers in the past ' such as the college student who allegedly hacked into Sarah Palin's e-mail account ' and there is also a portion of the statute which creates a private cause of action through which a plaintiff can recover damages, including punitive damages if the violation “is willful or intentional.” 18 U.S.C. '2707(c).

This past March, the Fourth Circuit held ' for the first time anywhere ' that a plaintiff suing under the SCA for unauthorized login to her personal Web-based e-mail account could recover punitive damages even in the absence of actual damages. Van Alstyne v. Electronic Scriptorium Ltd. , 560 F.3d 199 (4th Cir. 2009). The plaintiff sued her former employer for sexual harassment, who then sued her in a separate action for business torts. During discovery, Van Alstyne became suspicious that e-mails produced by her former boss were from her personal AOL e-mail account ' an account that she had used, in addition to her company account, to conduct business while employed at the company. The former boss admitted that he had logged into Van Alstyne's AOL account numerous times from work, home, and while traveling. The jury awarded Van Alstyne more than $400,000 in damages and costs. On appeal, the Fourth Circuit struck down a portion of the award, but held that punitive damages may be awarded under the SCA even absent any showing of actual damages.

Could the same factors that led the Fourth Circuit to uphold punitive damages lead a prosecutor to indict an employer on similar facts? If, as Van Alstyne suggests, logging in can subject an employer to punitive damages, a creative prosecutor might file criminal charges for the same “willful or intentional” conduct. For this reason, Van Alstyne warrants the attention of in-house counsel tasked with conducting internal investigations.

Privacy Expectations
Analysis under the SCA

So how can an attorney determine the extent to which a company has been authorized to access an employee's Web-based account? An employee's expectation of privacy and the authorization granted by the employee to invade that privacy are generally defined by the company's electronic communications policy. You should reread your company's policy with the SCA and Van Alstyne in mind.

A recent New Jersey case illustrates how the analysis of an employee's privacy expectations with regard to Web-based accounts turns on the wording of a company's electronic communications policy. In Steingart v. Loving Care Agency, Inc., Docket No. BER-L-858-08 (N.J. Super. Law Div., Feb. 5, 2009), the issue was whether an employee's e-mails to her lawyer, recovered from the temporary Internet files on a company computer with no login required but originally sent through her Web-based e-mail account, were privileged. To resolve the question, the court reviewed the employer's electronic communications policy to determine whether the employee had a reasonable expectation of privacy in the e-mail. In holding that the e-mails were not privileged, the court relied upon the fact that the Employee Handbook warned that “[e]-mail and voice mail messages, Internet use and communication and computer files are considered part of the company's business and client records. Such communications are not to be considered private or personal to any individual employee.” The court held that “the question of whether an employee has a reasonable expectation of privacy in a communication made on a work issued computer is based on the degree of notice the employer has provided to its employee regarding their right to privacy in electronic communications.”

The privacy expectation analysis illustrated in Steingart is also useful in determining whether a search could risk exposing your company and yourself to liability under the SCA. While the question under the SCA is what “authorization” has been provided to access the materials, the analysis is much the same. Authorization is the flip side of privacy expectation, and courts may well hold that, for purposes of the SCA, employees have authorized access to those areas for which they do not have a reasonable expectation of privacy.

A robust electronic communications policy coupled with signed acknowledgements from employees that they have reviewed it will go a long way toward protecting your company from liability under the SCA for searches conducted during an internal investigation. Company communication policies, however, generally do not address the expectations that an employee should have about whether an employer can use a personal user name and password that the employee has typed on a company computer and thereby inadvertently “shared” with the employer. Policies similar to the one in Steingart are likely not explicit enough to allow a company to use an employee's recorded login information to access the employee's Web-based account. Although the typical policy makes clear that no communication should be considered private, it makes no reference to the company's ability to use the employee's login to obtain information that does not reside on the company's own computer network.

One option is to make the authorization explicit in your company's policy. Unchecked expansion of electronic communications policies, however, may not be in your company's best interest. As policies become more onerous and invasive, they may hinder a company's ability to recruit or retain talent. Besides, a policy that purports to allow unfettered use of login information by employers could lead to disturbing scenarios. For example, an employee who never actually sent any e-mails to her lawyer from work could face an argument that she has waived the attorney-client privilege for e-mails sent to her lawyer from home, simply because she logged onto her Web-based account from work for other purposes. Arguably, an expansive communications policy would have put her on notice that her login information could be used, so as soon as she logged in once from work, the company was authorized to access her outside e-mail account forever. As technology adapts to enable us to conduct our business and personal lives simultaneously, the courts increasingly will be asked to decide privacy disputes of this kind.

Dangers of Self Help

The limitations placed on a company by the SCA highlight a key distinction between a government investigation with subpoena power and that of a private entity. Under the SCA, the government is permitted to require, through a variety of procedures, that an electronic communication service provider hand over information. See, 18 U.S.C. '2703. Private companies have no similar recourse. Resorting to self help in an internal investigation exposes your company to liability under the SCA, both civil and, perhaps, criminal.

In our view, a company should decline to use recovered login information during an internal investigation. And, even if your company has an electronic communications policy that allows for the use of login information, you should seek outside legal advice before you act. As Van Alstyne and Steingart suggest, a company is on safer ground when it remains within the boundaries of regularly accepted practice and limits its review to material accessible on the company's computers when its communications policy provides authorization for such action. If more is required, let the government do it.