Implications of the Stored Communications Act | DCR Workforce Blog

Implications of the Stored Communications Act

stored communicationEvery American is aware of the Fourth Amendment to the Constitution which prohibits unreasonable searches and seizure. But, in 1792 when the fourth amendment was ratified, none could envision the need to address the voluntary or compelled disclosure of information stored online. For more than two decades, government bodies and the courts have struggled to determine the protections afforded to information communicated or available electronically. Expectation of privacy and protection are automatically lost when the security of information is entrusted to a third party such as an Internet Service Provider (ISP). The ISP can be compelled to reveal the contents of an email or files stored on a server when presented with certain types of warrants or subpoenas.

The Stored Communications Act (SCA) was passed in 2012 to protect users whose electronic communications are stored by an ISP or electronic communications service.   The SCA addresses the disclosure of ‘stored wire and electronic communications as well as transactional records held by third party ISPs.

The SCA can be summarized as follows:

  • The ISP cannot knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service (with limited exceptions).
  • Even with a civil subpoena, the ISP cannot disclose information to civil litigants.
  • Unauthorized access to information help by an ISP is a criminal offense.
  • The government, with a warrant, can access information needed in a criminal investigation.
  • The government may not access information needed in a civil case, even with a civil discovery subpoena.
  • Malicious destruction or damage caused to electronic data for gaining commercial advantage, private commercial gain, or furtherance of any criminal act is punishable both by a fine and/or imprisonment.
  • Subscribers must be notified in advance when the government is about to access this information.
  • Under the Patriot Act, the FBI is authorized to issue a National Security Letter enabling access to content information. Recently, restrictions on the information that can be accessed, and ways in which that information may be disclosed and used, have tightened.

Implications of the SCA for Employers:

 Employers cannot monitor or access their employees’ personal social media accounts, intentionally and without authorization. Let us look at some cases where the SCA was invoked.

  • In Pietrylo v. Hillstone Restaurant Group two managers used an employee’s log in ID and password to access a password –protected MySpace account which was set up to air employees’ grievances against their employer. The managers fired the site’s creators for ‘damaging employee morale’ and ended up being liable for violating the SCA.
  • Similarly with Rodriguez v. Widener University, the university was held liable for violating the SCA. It failed to state at the outset that the plaintiff’s Facebook account (from which the university accessed and printed posts and photographs) lacked privacy settings and that all content was available to the general public.
  • Ehling vs.Monmouth-Ocean Hospital Service Corp. A paramedic wished, on her private Facebook account open only to her friends, that the suspected shooter at a shooting in a museum was not treated by the paramedics who were called to the scene. She also said the security guards needed more target practice. One of these friends took screenshots of these posts and sent them to her employer. The hospital management temporarily suspended her. The management was absolved of wrongdoing under the SCA only because the ‘friend’ voluntarily shared the Facebook posts – and the management never requested such sharing of content.
  • In the case of Joseph v. Carnes, two members of a Limited Liability Company (LLC) sued a third member and the IT director when they discovered that the defendant – with the help of the IT director – had accessed the company’s email server using administrative credentials, conducting more than 2,000 searches. The defendant retrieved other members’ personal communications as well as communications with those members’ legal counsel. While all of these individuals worked for the same company, the courts ruled that this was an SCA violation because the company had no policy in place authorizing the search and review of employees’ email messages, nor did it inform employees or receive consent to access, search and review their email may be accessed.

Online modes of communication and transmission of information are still evolving on a nearly daily basis. It is difficult to reach a clear consensus on the issue of privacy, especially when juxtaposed with the anxiety employers feel about their brand image and reputation. All employers need to tread carefully and avoid making any unauthorized attempts to access employees’ private communication!

The content on this blog is for informational purposes only and cannot be construed as specific legal advice or as a substitute for competent legal advice. They reflect the opinions of DCR Workforce and may not reflect the opinions of any individual attorney. Do contact an attorney for advice specific to your issue or problem.
Lalita is a people/project manager with extensive experience in operations, HCM and training and development across industries like banking, education, business consulting, BPO and information technology. She believes in a dynamic approach to life and learning as change is the only constant.