The Fourth Circuit Court of Appeals has strengthened federal anti-hacker email privacy law by allowing a civil suit for punitive damages alone, even when there are no actual damages. Van Alstyne v. Electronic Scriptorium, _F.3d_, 2009 WL 692512 (4th Cir. March 18, 2009). The Court recognized that the intentional taking of email stored online was a violation of the Stored Communications Act (“SCA”), 18 U.S.C. §2707, allowing a victim to sue for monetary damages to punish the hacker and deter such future conduct.
This is a significant advance in privacy protection law because previously, punitive damage awards under the SCA were not allowed without proof of actual damages. Id. at pg. 16. People Helpers Found., Inc. v. City of Richmond, 12 F.3d 1321, 1326 (4th Cir. 1993). This is in accord with the general rule that punitive damages are never allowed without proof of actual damages unless a statute expressly allows it. Id. The Court found such authority in the civil enforcement section of the SCA, which states:
If the violation is willful or intentional, the court may assess punitive damages.
18 U.S.C. §2707(c). This is the first time the SCA has been so interpreted by a Circuit Court of Appeals and the first time punitive damages, costs, and attorney fees for an SCA violation have been allowed without proof of damages.
It is a Crime to Hack Into an Online Email Account
The unauthorized access of an AOL account in Van Alstyne constituted a violation of the SCA, which is part of the Electronics Communications Privacy Act (“ECPA”), 18 U.S.C. §2510, et seq. As the opinion at page 8 explains:
Section 2701 of the SCA creates a criminal offense for whoever “intentionally accesses without authorization a facility through which an electronic communication service is provided” or “intentionally exceeds an authorization to access that facility,” and by doing so “obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C.A. §2701(a)(1-2).
As background, Bonnie Van Alstyne was employed as Director of Marketing for Electronic Scriptorium, a small data-conversion company. She claimed she was fired after rejecting sexual advances from the CEO, Edward Leonard. At that point, Leonard did a little self-help e-discovery (we presume without any assistance from his lawyer) and hacked into Van Alstyne’s AOL email account.
This AOL account, like any online email service, is considered “a facility through which an electronic communication service is provided” covered by the SCA. Leonard had somehow discovered Van Alstyne’s AOL password. We are not told how he did that, but he could have lawfully discovered it by looking on company computers. Regardless, Van Alstyne had never authorized Leonard to access her AOL account. Leonard used her AOL user-name and password to read her email. We do not know all of the nefarious motives behind this invasion of privacy, but certainly one motive was to try and find something that he could use against Van Alstyne to defend the sexual harassment claims. He found a few emails he liked, downloaded them, and provided them to his lawyer. The lawyer in turn surprised Van Alstyne with these emails during her deposition.
The downloading of emails from Van Alstyne’s AOL account without authorization constituted “obtaining … a electronic communication while it is in electronic storage in such system” and thus a clear violation of the SCA was established. The Court held that if the SCA is intentionally violated, then punitive damages, costs, and fees can be awarded, even though no damages were caused by the taking of the electronic communication.
Court Requires Actual Damages to Trigger the Statutory Minimum
The Court did, however, draw the line at the automatic award of the minimum statutory damages of $1,000 per unauthorized access. It held that it is not permitted under the statute without proof of some damages. In so doing, it followed the Supreme Court in Doe v. Chao, 540 U.S. 614, 627 (2004). The Supreme Court in Doe considered nearly identical language in the Privacy Act, 5 U.S.C. §552a (g)(4), and held that the $1,000 minimum statutory damages award was available “only to plaintiffs who suffered some actual damages.”
The Fourth Circuit considered itself to be bound by Doe, but reportedly five district courts in five different circuits did not. They had previously held to the contrary that proof of actual damages was not required to receive the statutory minimum award under the SCA. For this reason, some consider Van Alstyne to be a setback for privacy law, and indeed it is, to a degree. Still, this is a slight setback and pales in comparison to a Circuit Court of Appeal allowing punitive damages under the SCA without proof of actual damages.
Here is the Court’s summary, at page 8, of the civil action of damages allowed under the SCA:
Section 2707 provides a private cause of action for “any . . . other person aggrieved” by a violation of § 2701. 18 U.S.C.A. §2707(a). Under § 2707, a district court may award equitable or declaratory relief, a reasonable attorney’s fee and other costs, and “damages under subsection (c).” 18 U.S.C.A. §2707(b). Subsection (c) provides:
The court may assess as damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.
The Court rejected plaintiff’s arguments that the reference to a minimum award meant that you should receive $1,000 for every violation, even if there were no “actual damages.” I found the Court’s argument on that point persuasive and even forgetting Doe, which of course you cannot do, I do not see how five district courts were persuaded to rule to the contrary. If Congress had intended to allow a minimum statutory damage award absent proof of actual damages, it could easily have said so in the statute. For instance, The Wiretap Act, which like the SCA is found within the ECPA, does exactly that:
In any other action under this section, the court may assess as damages whichever is the greater of . . . the sum of the actual damages suffered by the plaintiff and any profits made by the violator . . . or . . . statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000.
18 U.S.C. §2520(c)(2). I would support an amendment to the Stored Communications Act to provide for an automatic award of damages in an amount even greater than $1,000 per violation, but regardless, we now have incentive enough from actual and punitive damages to sue to enforce this important law.
Lesson For Hackers: Computer Privacy Law Now Has More Teeth
Although this case arises out of an employer context, and involves other claims of sexual discrimination and wrongful discharge (thus the search for her email), this is not really an employment case, but rather an individual privacy rights case. This decision strengthens the protection of the Electronics Communications Privacy Act by encouraging civil suits to enforce the SCA email protection segments of this law.
Since it is often difficult or impossible to prove actual damages from an invasion of email privacy, there is little encouragement for victims to sue under the Stored Communications Act if the suit requires proof of damages. Further, as Van Alstyne argues in this case, if you do try to prove damages, such as emotional distress, you often open yourself up to very invasive discovery of all aspects of your personal life. This is something that most people, including Van Alstyne, are unwilling to do. The net result is that the hacker often walks, undeterred from doing it again to the next victim.
If a person is just embarrassed and annoyed by the interception and theft of their email and other electronic messages, and they cannot easily prove actual hard dollar damages, they had no incentive to sue the perpetrator. (They might be able to get an injunction or declaration, but so what.) If you must prove actual damages, then the victim’s only real hope to try to punish and deter a computer hacker is though the criminal system. A victim could file a complaint and hope the prosecutor would bring criminal charges. But as a practical matter, unless money is involved, few prosecutors have the time, money, expertise, or inclination to prosecute such computer privacy cases. The reluctance to prosecute non-monetary hacker cases is especially true in situations such as in this case, where there is ongoing civil litigation between private parties.
Aside from cases where there are actual damages, such as credit card or medical information hacker cases, criminal prosecutions for breach of computer privacy alone are few are far between. The only exception is the high profile case, such as 2008 Republican Vice presidential candidate Sarah Palin, whose Yahoo email account was hacked into during the election. A college student accessed her email account by guessing the answers to her security questions, and then publicly bragged about it. You betcha he was tracked down and indicted under the SCA. But even there, the student has not yet been convicted and there may be problems with the SCA criminal case.
Although many people use online email, it is far from secure. It is all too too easy to discover a person’s online email account password and “hack” into their email or other cloud computing accounts, including social media accounts such as Facebook. The ease of such computer intrusion or hacking is shown by this case and the Sara Palin case. This is especially true if you know the person, or they are a public figure and you can guess their password security questions as the Palin case shows. It is also easy to do if you have access to the person’s work computer and can trace their Internet use history, something most employers today can do.
There are many other instances of email hacking going on today that you never hear about, particularly in divorce or harassment cases. Thanks to Van Alstyne, in the future you will to start to hear about this much more often. The Fourth Circuit has strengthened the rights of computer users to privacy by adding punitive damage teeth to the Stored Communications Act. Since cloud computing has now become so pervasive, this is an important decision for everyone’s privacy rights, including corporations at risk for having their own computers and email systems hacked. Hackers beware! You may not only go to jail, but be sued for punitive damages and fees by everyone you hack.
Apparently this change in the law may also help plaintiffs in class-actions cases that allege SCA violations, such as suits against service providers like AT&T for turning over private email to the government without a valid subpoena. It will make it easier to state a cause of action under the SCA because you will no longer have to plead damages, just an intentional violation. According to class-action attorneys Al Gidari and Ryan Mrazik in their article on the Van Alstyne decision in Digestible Law:
Practically, this case actually makes it easier for plaintiffs to survive motions to dismiss for failure to plead actual damages because they now can assert the conduct was “willful or intentional” and discovery will be required to determine if punitive damages are warranted. And, because whether conduct is willful or intentional is a question of fact, it will be difficult for defendants to win summary judgment after discovery as well. In sum, the Fourth Circuit’s decision may open the door to much more SCA litigation.
Attorneys Gidari and Mrazik recommend that:
Companies should carefully consider when and whether to access, use, or disclose stored communications or customer information and ensure their conduct comports with SCA-authorized activities to avoid the now higher risk of litigation.
That is good advice for companies, spammers, Gladys Kravitz-types, and hackers alike.
Lessons for e-Discovery Lawyers:
Beware of Illegally Hacked Email
There are important lessons here for e-discovery lawyers too. The unauthorized access of a person’s private email account to discover and retrieve their email is a crime. Just because you know a person’s user name and password, does not give you the right to use it. This kind of self-help e-discovery is not only unethical, it is criminal. You must employ a request for production or subpoena. You cannot hack into their private email accounts or home computers any more than you can break into their house and steal papers.
Of course, this is different from a situation where you look at the contents of the employee’s office, or office computer, or office email account. See IT Workers Read Your Personal Email and U.S. Law is Generally OK with That. An employer can use an employee’s password to access their company computer and company email because they have authority to do that. But I have never seen an employment agreement or policy which provides an employer with authority to access an employee’s private email account, such as AOL, Yahoo, or Gmail, or hack into their home computer systems, regardless of whether they may sometimes use these computers and email services for business. Also See: Quon v. Arch Wireless 529 F.3d 892, 2008 WL 2440559 (9th Cir., June 18, 2008), which I wrote about in More “Must Read” 2008 Cases. In Quon the Ninth Circuit held that a company’s disclosure of text messages to the employer, who was the “subscriber” and not “an addressee or intended recipient of such communication,” violated the SCA.
Van Alstyne sends a clear signal to the computer-savvy-Bar. You cannot use self-help in the guise of discovery or employee monitoring to hack a person’s private email account. Yes, I know it is ridiculously easy to hack into these online email and social media accounts. It might be a simple way get at the truth, expose liars, and win the case. It could be done surreptitiously and never disclosed. But don’t do it. This kind of self-help e-discovery is a crime. You could go to jail (up to five years), be fined, and lose your license. Also, as this case holds, you could face a civil suit and a jury with the power to punish the “bad lawyer” with damages. The CEO in Van Alstyne got tagged with a $100,000 punitive damage award. How much do you think a jury might award to punish a lawyer hacker or his or her law firm? It is an easy button to be sure, but don’t press it, and don’t allow your staff, hired detectives, or vendors to do it either.
Van Alstyne also sends a clear signal to the computer-challenged-Bar. Consider the facts in Van Alstyne as stated in the opinion. Van Alstyne was shown several emails during her deposition. They were presented to her in paper form and had apparently not been disclosed to her attorney before the deposition. She had written these emails before she was fired and she recognized them. Apparently they were all work related in some way and hurt her case.
Van Alstyne had primarily used her employer’s Outlook email for work, but would sometime also use her personal AOL email account. She suspected that some of the emails shown to her during the deposition were from her AOL account, not her Outlook account. (I do not know why this was just a suspicion, instead of obvious from the email address, but perhaps the emails all just showed the same user name or perhaps that portion of the email was not included on the papers shown to her). Here is the Court’s explanation of what happened after the deposition:
Van Alstyne believed that these exhibits were actually taken from her AOL account and not her company account. With her suspicions aroused, Van Alstyne began pursuing the possibility that Leonard and ESL had broken into that private account. Sure enough, during a June 2006 deposition, Leonard admitted that he accessed Van Alstyne’s AOL account after she left the company. He further testified that the emails produced during the deposition represented the only occasions on which he had accessed her account.
It turns out that Leonard, the alleged sexual harasser, was not entirely truthful during his deposition testimony. He had far more of Van Alstyne’s AOL emails than that. In truth, he had accessed her AOL account many, many times. In later depositions Leonard admitted the truth. Here are the Court words in footnote 2 about Leonard’s false testimony in his first deposition:
These statements were not entirely true. Indeed, Leonard ultimately admitted to accessing Van Alstyne’s AOL account at all hours of the day, from home and internet cafes, and from locales as diverse as London, Paris, and Hong Kong. During discovery, Leonard produced copies of 258 different emails he had taken from Van Alstyne’s AOL account.
A tad obsessive, wouldn’t you say? In any event, after contradictory testimony like that, Leonard’s credibility is shot. It is no surprise that the jury awarded $100,000 in punitive damages alone, just for these unauthorized intrusions into Van Alstyne’s AOL account.
But what about Leonard’s attorney? Did he or she ask Leonard where he got the emails they were going to use for the deposition of Van Alstyne? I would hope so, and hope that the client lied to his attorneys and said they were all from his company’s computers. Still, it would seem that a diligent investigation and supervision of the discovery process would have revealed the true origin of these emails.
The lesson to be learned here by attorneys is to always ask and be sure you understand where and how your client obtained email that they turn over to you. Especially in a heated case like this with allegations of sexual harassment, you need to be sure the emails were obtained legally. This is now a common problem in divorce cases. If your client has hacked into someone’s private email to get the evidence, they may well have committed a crime, as this case shows. They should be counseled accordingly. You cannot simply act like Sergeant Schultz in Hogan’s Heros and say “I know nothing!” The dumb as you want to be defense will not work with savvy opposing counsel or judges. You have a duty to inquire and cannot simply look the other way. If you learn the evidence is tainted, you do not use it and just hope that nobody notices.
I am not suggesting that is what happened here. I do not know; but the facts stated in the opinion raise some disturbing questions. Clearly we should all exercise caution in the discovery of an adversaries’ email and other personal computer information. When it comes to private email we should forget the common proverb; we should carefully look a gift horse in the mouth.
Everyone who uses email in the clouds can now rest a little safer, thanks to this important ruling of the Fourth Circuit. We can only hope that other Circuits will follow Van Alstyne and allow punitive damage, cost, and fee awards for unlawful invasion of email privacy without proof of actual damages. This will encourage active enforcement by private parties in civil lawsuits. If a jury is mad at the hacker, be they a young student, like in Palin, or the CEO of the company, as in Van Alstyne, we could see quite a few six figure punitive damage awards (assuming the judge does not reduce the size of the award as unreasonably high; see Abner v. The Kansas City So RR , 513 F.3d. 154 (5th Cir. 2008)). Nobody likes to have their email privacy invaded and now we have another way to fight back.