You’ve Got My Mail: Court Rejects Challenge to Employer’s Computer Access

| Jason M. Knott

Even employers who are devoted to higher callings can find themselves in worldly disputes with former employees over access to emails and computer files.

For example, the National Institute for Newman Studies is devoted to researching Cardinal John Henry Newman, who will be canonized later this year. While awaiting Newman’s ascent to sainthood, however, the Institute has been dealing with a mundane problem: a lawsuit brought by its former executive director, Robert Christie.

The Institute terminated Christie in 2016. While the two were negotiating over severance, the Institute needed to find out information from Christie about an upcoming conference he had scheduled with Father Ian Ker. Christie didn’t provide the details, so the Institute took matters into its own hands. A congregation of employees, including its office manager, accessed Christie’s desktop computer, opened his Yahoo! emails (which were set up to download to his computer), and searched for emails involving Father Ker. Lo and behold, they uncovered emails that “contained negative comments” by Christie about the Institute. As a result, the Institute withdrew its offer of severance.

Christie turned to the courts. He filed a complaint in federal court against the Institute and two members of its board of directors, alleging that they had violated the Computer Fraud and Abuse Act (CFAA), the Stored Communications Act (SCA), the New Jersey Computer Related Offenses Act (NJCROA), and invaded his privacy. Declining to turn the other cheek, the Institute filed counterclaims against Christie for replevin, bailment, and unjust enrichment because he took his work laptop with him when he left (although he returned it during the litigation).

Recently, Christie faced his judgment day: the district court granted summary judgment to the Institute on all of his claims. The court’s opinion contains a useful discussion of the laws under which Christie sued and how they apply to an employer’s access to employee computers and email accounts.

So how did the Institute avoid condemnation?

Critically, the court said, CFAA only protects against unauthorized access to computers. The computers that the Institute allegedly accessed—the desktop and laptop used by Christie—were its property, so its access was authorized.  Because Christie didn’t own the computers, he couldn’t exclude the Institute from accessing them, even if he had locked it with a personal password and didn’t want to allow the Institute to read his personal emails. Christie’s NJCROA claim failed for the same reason.

Meanwhile, Christie’s invasion of privacy claim was premised on the office manager’s viewing of Christie’s Yahoo! emails, as downloaded to his desktop. But the office manager had permission from the owner of the desktop—the Institute—to conduct the search. She read fewer than ten emails and stopped immediately when she found an email in which Christie spoke ill of the Institute to Father Ker. At the time, she was not aware that some of the emails were in fact Christie’s personal emails. Based on these facts, Christie could not show that the Institute had intentionally invaded his privacy.

Finally, Christie’s SCA claim failed because the accessed emails were not stored in a facility that provided communication services; rather, they were stored in his computer.

Employers should note, however, that changing some of the facts could well have changed the outcome in Christie’s case. For example, if the employer had accessed emails stored on the Yahoo! server—not on the computer—it might have run afoul of the SCA. Similarly, if the employer had used Christie’s password to log into a personal device, not a device that it owned, it might not have escaped liability under CFAA or the NJCROA. And if it had unreasonably and intentionally intruded into highly private emails without good cause, the invasion of privacy tort might have been sustainable.

In addition to granting judgment against Christie, the court also allowed the Institute’s replevin and bailment claims to survive for trial. The court concluded that under the law governing these claims, the Institute could hold Christie liable for taking his laptop even though he eventually returned it. Employers should not ignore that these and other legal remedies may be available against employees who wrongfully take their property.

Information provided on InsightZS should not be considered legal advice and expressed views are those of the authors alone. Readers should seek specific legal guidance before acting in any particular circumstance.

As the regulatory and business environments in which our clients operate grow increasingly complex, we identify and offer perspectives on significant legal developments affecting businesses, organizations, and individuals. Each post aims to address timely issues and trends by evaluating impactful decisions, sharing observations of key enforcement changes, or distilling best practices drawn from experience. InsightZS also features personal interest pieces about the impact of our legal work in our communities and about associate life at Zuckerman Spaeder.

Information provided on InsightZS should not be considered legal advice and expressed views are those of the authors alone. Readers should seek specific legal guidance before acting in any particular circumstance.