April 25, 2014 Top Story

Party Held Liable for Unauthorized Email Access

Courts struggle to apply Stored Communications Act to modern email systems

Jannis E. Goodnow

You and your business partner exchanged personal email passwords a decade ago to access each other’s business reports. Now, you suspect he is having an affair with an employee. Do you use his password to read his email exchanges with the employee? If so, you have violated a federal statute, according to the U.S. District Court for the District of Massachusetts in Cheng v. Romo.

Cheng and Romo were among the owners of a medical practice. In 2000, they exchanged passwords to their respective Yahoo! email accounts so they could access each other’s medical reports. A few years later, the practice started using software that allowed sharing reports without using email. In 2008, Romo and her husband, an employee of the practice, each sued the practice in state court. In his suit, Romo’s husband produced printouts of flirtatious emails between Cheng and a female employee, which Romo had printed out using Cheng’s password. Cheng subsequently filed suit against Romo in federal court, alleging that she had violated the Stored Wire and Electronic Communications and Transactional Records Access Act, also known as the Stored Communications Act (SCA), by accessing Cheng’s emails in 2008 without his authorization.

In defending Cheng’s action, Romo admitted accessing and printing Cheng’s Yahoo! emails but argued that she was authorized to do so, as Cheng had given her his password. She also argued that she had a valid business reason to access Cheng’s email account because she was concerned that Cheng was having an adulterous relationship with the female employee. The case went to trial, and the jury returned a verdict in Cheng’s favor.

Romo moved to have the verdict set aside on the basis that the emails in question were not “stored communications” as defined under the SCA. The court denied the motion, finding that Cheng’s emails, existing only on Yahoo!’s server, were stored “for purposes of backup protection” under the SCA.

Unauthorized Access of Communications 

The SCA, passed in 1986, provides in part that someone who:

    “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility;

    and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished.”

As incorporated into the SCA“electronic storage” is defined as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” Romo argued that because Cheng’s emails had been opened by him and existed only on Yahoo!’s server, they had not been backed up and, accordingly, were not stored “for purposes of backup protection.” Cheng countered that it would be illogical to interpret the statute to find that the emails were not in “electronic storage” under the SCA.

Courts Struggle to Apply Outdated Statute to Current Technology

Noting that “web-based email systems [such as Yahoo!] did not exist when the term ‘electronic storage’ was defined in the SCA,” the court examined cases reaching opposite results regarding whether emails in web-based systems are in “electronic storage.” The court rejected the reasoning of a South Carolina case that “Congress’s use of ‘backup’ necessarily presupposes the existence of another copy.” Rather, the court found that when Cheng used his browser to access emails on the Yahoo! server, a “backup” of the email remained on the server.

The court refused to make a distinction between older technology—email client programs running on personal computers—and today’s internet email systems: “The web-based access mechanism is simply the modern day equivalent of how email was accessed in 1986, when the SCA was passed.” On this basis, the court concluded that Cheng’s emails were held in backup storage for purposes of the SCA.

Interpretation of “Electronic Storage” Remains Problematic

While some courts have held that maintaining emails in a Yahoo! or Gmail account is not “backup storage” under the SCA, “this does not make sense if you look at what the statute is intended to prevent: electronic snooping,” says Peter S. Brooks, Boston, MA, who represents Cheng. On the other hand, according to Joseph V. Cavanagh III, Providence, RI, who represents Romo, “There are a good number of courts that have refused to apply the SCA to emails once they have been transmitted and read. Here we are dealing with emails that were not only already transmitted and read but were never set aside in any other location by the user. ” 

“Understandably, courts and litigants are struggling with how the definition [of electronic storage for “backup protection”] applies to modern email and electronic storage systems,” says Kenneth R. Berman, Boston, MA, cochair of the ABA Section of Litigation’s Corporate Counsel Committee. This case “shows how difficult it can be to adapt a 30-year-old statute to modern technology,” notes Harout J. Samra, Miami, FL, cochair of the Section of Litigation’s Technology for the Litigator Committee. “Basically, you have a statute that is vague and outdated, and courts are willing to be flexible in applying it,” explains Samra. “Because looking at another’s email is generally considered to be bad conduct, courts have a tendency to want to find a violation,” agrees Berman.

The “backup protection” language is not relevant today, says Anne E. Kershaw, Tarrytown, NY, cochair of the E-Discovery and Litigation Technology Subcommittee of the Section’s Corporate Counsel Committee. “What people really do now is create replicated environments on remote servers rather than relying on backup tapes,” she explains.

“The court reached the right result but it was a hard slog,” says Kershaw. “The cartwheels the court had to go through to reach this result illustrates how the statutory framework is not helpful,” says Kershaw. Moreover, it is arguable that courts holding that emails stored only on web-based servers fall under the SCA are ignoring the words “for backup protection.” “If your theory of statutory interpretation is to give each word a meaning, then the argument exists that the finding in this case is inconsistent with the statute,” opines Berman.

Congressional Action Needed to Resolve Conflict

Section leaders agree that that the SCA should be modernized. The conflict among jurisdictions in interpreting “backup protection” could be resolved by the U.S. Supreme Court, “but that it not likely to happen,” predicts Samra. Rather, “Congress could do us all a favor and change the definition to be consistent with modern methods of electronic communication,” says Berman, adding that “eliminating the words ‘for purposes of backup protection’ would eliminate the confusion.”


Jannis E. Goodnow is an associate editor for Litigation News.

Keywords: Stored Communications Act, email, unauthorized access, backup storage


Related Resources

Cases holding opened web-based emails are in "electronic storage" under the SCA:

Cases holding opened web-based emails are not in "electronic storage" under the SCA

Copyright © 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).