Access to private email server supports Stored Communications Act claims

Devine v. Kapasi, 2010 WL 2293461 (N.D. Ill. June 7, 2010)

Kapasi and Devine were equal shareholders in a corporation. In August 2009, the two decided to part ways. The corporation transferred one of its servers to Devine, and he immediately put it into the service of his new company.

After the server was transferred, Kapasi and some employees of the old company allegedly logged on to the server to access and delete email messages stored on that machine. Devine and his new company sued for violation of the Stored Communications Act (at 18 U.S.C. §2701) and the Computer Fraud and Abuse Act (at 18 U.S.C. §1030).

The defendants moved to dismiss under FRCP 12(b)(6) for failure to state a claim. The court denied the motion as to the Stored Communications Act claims but granted the motion (with leave to amend) as to the Computer Fraud and Abuse Act claims.

The Stored Communications Act claims

The defendants argued that the Stored Communications Act did not apply to access to the server because plaintiffs did not provide an electronic communications service to the public. Defendants relied on the case of Andersen Consulting LLP v. UOP, 991 F.Supp. 1041 (N.D.Il.1998) to support this argument. In that case, the court dismissed a Stored Communications Act claim for unauthorized disclosure of emails under 18 U.S.C. §2702. The Andersen Consulting court held that disclosure of emails obtained from the server of a company not in the business of providing electronic communications services to the public did not violate the Stored Communications Act.

This case, however, arose under 18 U.S.C. §2701, which does not impose the same scope on potential defendants – the term “to the public” does not appear in connection with the provision of electronic communication services in §2701. Section 2701 deals with unauthorized access, while §2702 deals with unauthorized disclosure.

So the court held that “[w]here, as here, a plaintiff pleads that it stores electronic communications on its own systems, and that a defendant intentionally and without authorization got hold of those stored communications through the plaintiff’s electronic facilities, the plaintiff states a claim under § 2701 of the [Stored Communications Act].”

The Computer Fraud and Abuse Act claims

The court dismissed the Computer Fraud and Abuse Act claims, finding that the plaintiffs failed to plead that they suffered a cognizable “loss” under the statute. The plaintiffs were required to plead that the defendants’ conduct “caused . . . loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.” Such allegations were simply missing from the complaint.

The defendants tried an interesting argument that the court rejected as premature at the motion to dismiss stage. They argued that since one of the plaintiffs was a technology company, it should have had a backup of all the data allegedly deleted. Therefore, any cost in excess of the $5,000 statutory threshold would not be a “reasonable cost.” Though it didn’t fly at the motion to dismiss stage, such an argument may fare better in a motion for summary judgment.

Photo courtesy Flickr user Jordiet under this Creative Commons License.