Ninth Circuit Court of Appeals: Stored Communications Act and Computer Fraud and Abuse Act Provide Cause of Action for Plaintiff
The Ninth Circuit held that plaintiffs whose private e-mail messages were disclosed under a “patently unlawful” subpoena could sue the defendant who issued the subpoena and his lawyer under the federal Stored Communications Act (18 U.S.C. § 2701 et seq.) and the Computer Fraud and Abuse Act (18 U.S.C. §1030) The court held that the federal Wiretap Act (18 USC §2511 et. seq.) does not apply to such a case because it does not cover stored e-mails. This case arose during a civil discovery proceeding when the defendant subpoenaed the plaintiffs’ Internet service provider for all e-mails ever sent and received by anyone at the plaintiffs’ company. Before officers of the company became aware of the subpoena, the service provider disclosed a number of responsive e-mails unrelated to the litigation, including some that were personal and/or privileged. Upon request by officers of the company, the trial court quashed the subpoena and awarded sanctions against the defendant. The court declared the subpoena “massively overbroad” and “patently unlawful,” reflecting both “bad faith” and “at least gross negligence.” Officers and employees of the company whose private messages had been disclosed then re-sued the defendant and the defendant’s lawyer under the Stored Communications Act, the Computer Fraud and Abuse Act, the Wiretap Act, and related state statutes.
The district court ruled that the defendants’ access to the messages had been authorized under the terms of the Stored Communications and Computer Fraud statutes because it was obtained through a subpoena and the service provider had been informed of its right to challenge the subpoena. It also held that the Wiretap Act did not apply to stored e-mails. Therefore, it dismissed the federal claims and declined jurisdiction over the state claims. The plaintiffs appealed.
The appellate court held that the e-mails had been obtained through intentional, unauthorized access under the Stored Communications and Computer Fraud statutes and reinstated those claims. The Stored Communications Act provides a cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided” and obtains access to a communication in electronic storage. 18 U.S.C. § 2701(a)(1), 2707(a). The Computer Fraud and Abuse Act provides a cause of action against anyone who “accesses a computer without authorization or exceeds authorized access and thereby obtains…information from any protected computer if the conduct involved an interstate or foreign communication.” 18 U.S.C. §1030(a)(2)(C), (g). The court held that any consent the service provider gave when they failed to challenge the defendants’ subpoena was invalid because the consent was obtained through deceit – namely, the deceit that the defendants’ subpoena was legally valid. The court interpreted the acts in light of the law of trespass, which similarly holds defendants liable for trespass if they obtain consent for entry through deceit. Not all deceit invalidates consent, however. The deceit must go to the heart of what makes the act “harmful or offensive.” The court found this to be the case here: “The subpoena’s falsity transformed the access from a bona fide state-sanctioned inspection into private snooping.”
The court also held that e-mail messages are in “electronic storage” pursuant to the terms of the Stored Communication Act even after the messages are downloaded by their recipients. The Act defines “electronic storage” as temporary, intermediate storage incidental to the transfer of electronic transmissions and storage for backup protection of electronic transmissions. The defendants claimed that the backup protection provision applied only to backup kept for the service provider’s benefit to aid in transmission. Since the messages in the case had already been transmitted to their recipients, they would therefore then fall outside the statute. The court found, however, that the service provider kept the messages in part as backup for the recipients, and that nothing in the statute’s language excludes backup kept for such a purpose.
The court also rejects the defendants’ claim – accepted by the trial court – that the Computer Fraud and Abuse Act “does not apply to unauthorized access of a third party’s computer.” The court finds that the statute’s language contradicts this reasoning. The statute offers a remedy to “any person” who suffers loss due to violations of the statute, not just the owner of the computer where the messages were stored.
Lastly, the court affirmed the district court’s finding that the Wiretap Act does not provide a cause of action for the plaintiffs, because the act applies only to “acquisition contemporaneous with transmission,” not to the acquisition of stored materials.