Facebook hacking victim’s CFAA and SCA claims not barred by statutes of limitation

Knowledge that email account had been hacked did not start the statutes of limitation clock ticking for Computer Fraud and Abuse Act and Stored Communications Act claims based on alleged related hacking of Facebook account occurring several months later.

Plaintiff sued her ex-boyfriend in federal court for allegedly accessing her Facebook and Aol email accounts. She brought claims under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”), and the Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”).

Both the CFAA and the SCA have two-year statutes of limitation. Defendant moved to dismiss, arguing that the limitation periods had expired.

The district court granted the motion to dismiss, but plaintiff sought review with the Second Circuit Court of Appeals. On appeal, the court affirmed the dismissal as to the email account, but reversed and remanded as to the Facebook account.

In August 2011, plaintiff discovered that someone had altered her Aol email account password. Later that month someone used her email account to send lewd and derogatory sexually-themed messages about her to people in her contact list. A few months later, similar things happened with her Facebook account — she discovered she could not log in in February 2012, and in March 2012 someone publicly posted sexually-themed messages using her account. She figured out it was her (now married) ex-boyfriend and filed suit.

The district court dismissed the claims because it found plaintiff first discovered facts giving rise to the claims in August 2011, but did not file suit until more than two years later, in January 2014. The Court of Appeals agreed with the district court as to the email account. She had enough facts in 2011 to know her Aol account had been compromised, and waited too long to file suit over that. But that was not the case with the Facebook account. The district court had concluded plaintiff knew in 2011 that her “computer” had been compromised. The Court of Appeals observed that the lower court failed to properly recognize the nuance concerning which computer systems were being accessed without authorization. Unauthorized access to the Facebook server gave rise to the claims relating to the Facebook account. The 2011 knowledge about her email being hacked did not bear on whether she knew her Facebook account would be compromised. The court observed:

We take judicial notice of the fact that it is not uncommon for one person to hold several or many Internet accounts, possibly with several or many different usernames and passwords, less than all of which may be compromised at any one time. At least on the facts as alleged by the plaintiff, it does not follow from the fact that the plaintiff discovered that one such account — AOL e-mail — had been compromised that she thereby had a reasonable opportunity to discover, or should be expected to have discovered, that another of her accounts — Facebook — might similarly have become compromised.

The decision gives us an opportunity to think about how users’ interests in having their data kept secure from third party access attaches to devices and systems that may be quite remote from where the user is located. The typical victim of a hack or data breach these days is not going to be the owner of the server that is compromised. Instead, the incident will typically involve the compromising of a system somewhere else that is hosting the user’s information or communications. This decision from the Second Circuit recognizes that reality, and contributes to the reasonable opportunity for redress in those situations.

Sewell v. Bernardin, — F.3d —, 2015 WL 4619519 (2nd Cir. August 4, 2015)

Evan Brown is an attorney in Chicago helping clients manage issues involving technology and new media.

Independent contractor’s email was key factor in finding he had apparent authority to bind principal

Defendant petroleum producer hired an independent contractor to negotiate oil and gas leases on its behalf. One such lease was with plaintiff, which the independent contractor negotiated in large part using the email account defendant issued to him. After the price of oil dropped, defendant would not pay on the lease. When plaintiff sued, defendant claimed its independent contractor did not have the authority to bind defendant to the lease in the first place.

The trial court disagreed with defendant’s argument that its independent contractor did not have apparent authority to bind the principal-defendant. Defendant sought review. On appeal, the Court of Appeals of Texas affirmed.

It held that a reasonably prudent person would have believed the independent contractor possessed the authority to contract on defendant’s behalf because defendant acted with such a lack of ordinary care as to clothe the independent contractor with indicia of authority.

Among the most important evidence concerning these indicia of authority was the fact that the independent contractor communicated using the email account under defendant’s domain name. The court noted that another court had held that giving someone a company email address does not, in and of itself cloak that user with carte blanche authority to act on behalf the company. “Were this so, every subordinate employee with a company e-mail address—down to the night watchman—could bind a company to the same contracts as the president.” CSX Transp., Inc. v. Recovery Express, Inc., 415 F.Supp.2d 6, 11 (D.Mass.2006)

But in this case, defendant knew of the independent contractor’s negotiations by email, and did nothing to disclaim that he lacked authority to bind defendant to the lease.

PanAmerican Operating, Inc. v. Maud Smith Estate, — S.W.3d —, 2013 WL 3943091 (Tex.App.-El Paso, July 24, 2013)

Can an LLC member violate the Stored Communications Act by accessing other members’ email?

Yes.

Two members of an LLC sued another member and the company’s manager of information services alleging violation of the Stored Communications Act, 28 U.S.C. 2701 et seq. Defendants moved to dismiss for failure to state a claim. The court denied the motion.

Plaintiffs alleged that the LLC’s operating agreement required “Company decisions” to be made based on four of the five members voting in favor. The company had no policy in place authorizing the search and review of employees’ email messages, nor did it inform employees that their email may be accessed. Plaintiffs did not consent to their emails being searched and reviewed.

In connection with a dispute among the LLC members, one of them allegedly (in cooperation with the manager of information services) accessed the company’s email server using administrative credentials. She allegedly performed over 2,000 searches, retrieving other members’ communications of a personal nature, as well as communications with those members’ legal counsel.

Defendants moved to dismiss under 12(b)(6), arguing that plaintiffs could not show the access was unauthorized. Defendants argued that there was no electronic trespass, as the access was accomplished simply by company procedure.

The court rejected defendants’ arguments, finding that plaintiffs had sufficiently alleged an SCA violation, since plaintiffs had not consented to the access, and because no policy existed permitting an individual to search and review emails of members or employees absent the four-fifths approval required by the operating agreement.

Joseph v. Carnes, 2013 WL 2112217 (N.D.Ill. May 14, 2013)

Company sued by university can continue emailing that it will not hire students

University of Illinois v. Micron Technology, Inc., No. 11-2288 (C.D.Ill, Order dated April 11, 2013)

The University of Illinois sued Micron for patent infringement. Micron sent an email to several professors that read in part:

Because Micron remains a defendant in a patent infringement lawsuit that [the University] filed against Micron in Federal court in Illinois on December 5, 2011, effective immediately, Micron will no longer recruit [University] students for open positions at any of Micron’s world-wide facilities.

The University asked the court for a preliminary injunction barring future harassing communications from Micron to any University employee. The court denied the motion, holding that:

  • the term “harassing” was vague and therefore the requested injunction would violate Rule 65(d)’s requirement that the injunction describe in reasonable detail the acts to be restrained
  • the prior restraint of speech would likely violate Micron’s First Amendment rights
  • the sought after preliminary injunction did not pertain to the injury alleged in the complaint

Though the court sided in favor of Micron on the question of whether to enter an injunction, it questioned the company’s motives. It found Micron’s decision to be “without tact,” and was “very concerned” that Micron was trying to interfere with the litigation. But there was not sufficient evidence for the court to draw such a conclusion.

Accessing email server from Canada supported personal jurisdiction in the U.S.

MacDermid, Inc. v. Deiter, No. 11-5388 (2d Cir. December 26, 2012)

The Second Circuit reversed a District Court that held it could not exercise personal jurisdiction over a Canadian defendant accused of accessing email servers located in Connecticut.

Defendant lived and worked in Canada for a U.S.-based company having its principal place of business in Connecticut. She knew her company’s email servers were located in Connecticut.

When she learned that she was about to be terminated from her position, she forwarded confidential company data from her work email account to her personal account.

The former employer sued in the U.S. District Court for the District of Connecticut. That court dismissed the case, holding that the relevant Connecticut state statute (Conn. Gen. Stat. § 52-59b(a)) did not authorize the exercise of personal jurisdiction. The lower court found that although the statute authorized personal jurisdiction over one who “uses a computer” in the state, defendant’s alleged computer use took place exclusively in Canada.

Plaintiff-employer sought review with the Second Circuit Court of Appeals. On appeal, the court reversed, holding that the state statute authorized the exercise of personal jurisdiction, and that such exercise comported with due process.

The court found it was “not material” that defendant was outside Connecticut when she accessed her employer’s servers. It held that the statute required only that the computer or network, not the user, be located in the state.

On the due process issue, the court found that defendant had minimum contacts with Connecticut, as she knew the servers were located there. The court also found that she purposefully directed her alleged tortious activity there. After balancing other relevant factors (e.g., location of witnesses, burden on the defendant, Connecticut’s interests in seeing its laws enforced), the court found the exercise of personal jurisdiction to be reasonable.

Email privacy is weak even with court oversight

Huntington Ingalls Inc. v. Doe, 2012 WL 5897483 (N.D. Cal. November 21, 2012)

A federal court in California has allowed a party to subpoena Google to learn the identity of a Gmail account owner, even though that owner did nothing to involve himself in the dispute.

A contractor that plaintiff hired accidentally emailed “property” belonging to plaintiff to the wrong email address. (The court’s opinion is not clear on the nature of this “property,” but we are safe in assuming it was some sort of proprietary information.) Plaintiff sent messages to the Gmail account seeking return of the property, but the unknown account owner did not respond.

Plaintiff filed suit in federal court against the anonymous account holder (John Doe) seeking declaratory and injunctive relief (i.e., to get the property back). Since plaintiff did not know Doe’s identity, it sought expedited discovery so that it could subpoena Google for the identifying information.

email

The court granted the motion for leave to send the subpoenas. It found that:

  • without the subpoena, plaintiff would have no other way to obtain “this most basic information”
  • the subpoena was the exclusive means available to plaintiff to protect its property interest
  • plaintiff’s proposed procedure guarded Doe’s due process rights by requiring Google to give Doe notice of the subpoena and an opportunity to object

The court’s opinion shows how any privacy interest in one’s email account information is tenuous at best. In this situation, the target of the unmasking efforts was, as they say, minding his own business, not doing anything to inject himself into any dispute.

Moreover, unlike many previous cases in which courts have required the party seeking discovery of an anonymous party’s identity to put forth facts showing it has a good case, there was no claim here that Doe did anything wrong. Instead, it was the sender’s mistake. One could find it unsettling to know that other peoples’ errors could cause a court to order his or her identity to be publicly revealed.

Photo courtesy Flickr user Bart Heird under this Creative Commons license.

Court allows service of complaint and summons via Yahoo email account

U.S. Commodity Futures Trading Com’n v. Rubio, 2012 WL 3614360 (S.D.Fla., August 21, 2012)

The government filed a civil suit against defendant for violation of the federal Commodity Exchange Act and related regulations. Try as it may, the government could not successfully serve the complaint and summons by traditional means. So the government asked the court for leave to file the papers via defendant’s Yahoo email account. The court granted the motion.

email at the beach

During an earlier state investigation, defendand had provided a Yahoo email address while testifying under oath. The government claimed that it had sent several messages to the same account, each time getting a confirmation receipt indicating the message had been read on a Blackberry using the Digicel network. The evidence in the record showed that Digicel is a provider of network services in the Caribbean, Central and South America.

Federal Rule of Civil Procedure Rule 4(f)(3) authorizes a court to order an alternate method for service to be effected upon defendants located outside the United States, provided that such service (1) is not prohibited by international agreement and (2) is reasonably calculated to give notice to the defendant consistent with its constitutional due process rights.

In evaluating whether email service in this case would run afoul of international law, the court found that the Hague Convention did not apply because defendant’s precise location was not known — the only information in the record was that he was in the Caribbean, Central or South America. The Inter-American Convention on Letters Rogatory did not prohibit email service in this case, as that Convention would not necessarily preclude service by means outside the scope of its terms.

The court found that email service was also reasonably calculated to give notice to defendant, based on the facts in the record. Here, the government showed that the still-active Yahoo email address about which defendant swore under oath was reasonably calculated to give notice of the action against him and an opportunity to respond.

See also:

Federal court permits service of process on Australian defendants by e-mail

Service of process by e-mail allowed for foreign defendants

Court rejects request for permission to serve process by e-mail

Photo credit: Flickr user Giorgio Montersino under this Creative Commons license.

Employer did not violate employee’s privacy by accessing personal laptop

Sitton v. Print Direction, Inc., — S.E.2d —, 2011 WL 4469712 (Ga.App. September 28, 2011)

A Georgia court held that an employee using a personal laptop to conduct business for a competitor did not have an invasion of privacy claim when his employer busted him at work using the laptop to send email.

Plaintiff-employee worked for a printing company. His wife also owned a printing business. On the side, plaintiff would broker printing jobs, sending them to his wife’s company. He would bring his own laptop to work and use that to conduct business for his wife’s company while at work for his employer.

One day, the boss came into plaintiff’s office (apparently when plaintiff was not in the room) and saw that the computer screen on plaintiff’s computer showed a non-work related email account, with messages concerning the brokering of print jobs to the wife’s company. The boss printed out the email messages.

Plaintiff sued, claiming, among other things, common law invasion of privacy and violation of a provision of the Georgia Computer Systems Protection Act. The case went to trial, and plaintiff lost. In fact, he ended up having to pay almost $40,000 to his employer on counterclaims for breach of loyalty. Plaintiff sought review of the trial court’s decision. On appeal, the court affirmed.

The appellate court affirmed the trial court’s finding that the boss’s access to plaintiff’s computer did not constitute common law invasion of privacy based upon an intrusion upon plaintiff’s seclusion or solitude, or into his private affairs. The court held that the boss’s activity was “reasonable in light of the situation” because:

  • He was acting in order to obtain evidence in connection with an investigation of improper employee behavior,
  • The company’s interests were at stake, and
  • He had “every reason” to suspect that plaintiff was conducting a competing business on the side, as in fact he was.

To bolster this holding, the court cited from a Georgia Supreme Court case that said, “[T]here are some shocks, inconveniences and annoyances which members of society in the nature of things must absorb without the right of redress.”

Court sides with college accused of snooping on student’s email

Reichert v. Elizabethtown College, 2011 WL 3438318 (E.D.Pa. August 5, 2011)

Plaintiff’s threatening behavior toward certain faculty members of his college led the administration to monitor plaintiff’s school-issued email account. Plaintiff’s lawsuit against the school included claims for violation of the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), and common law invasion of privacy.

The college moved to dismiss these claims and the court granted the motion.

The court found that the ECPA claim failed because plaintiff did not allege the interception of the email messages was contemporaneous with the messages’ transmission. As for the SCA claim, the court noted that the statute protects electronic communications providers from liability for searches of their own systems which are used to provide the service. The school provided the service, so it could not be liable for monitoring its own system. And as for invasion of privacy, the court found that plaintiff had failed to allege the mental distress required to sustain such a claim.

Yahoo not liable for blocking marketing email

Section 230 of Communications Decency Act (47 U.S.C. 230) shields Yahoo’s spam filtering efforts

Holomaxx v. Yahoo, 2011 WL 865794 (N.D.Cal. March 11, 2011)

Plaintiff provides email marketing services for its clients. It sends out millions of emails a day, many of those to recipients having Yahoo email addresses. Yahoo used its spam filtering technology to block many of the messages plaintiff was trying to send to Yahoo account users. So plaintiff sued Yahoo, alleging various causes of action such as intentional interference with prospective business advantage.

Yahoo moved to dismiss, arguing, among other things, that it was immune from liability under Section 230(c)(2) of the Communications Decency Act. The court granted the motion to dismiss.

Section 230(c)(2) provides, in relevant part, that “[n]o provider or user of an interactive computer service shall be held liable on account of … any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”

Plaintiff argued that immunity should not apply here because Yahoo acted in bad faith by using “faulty filtering technology and techniques,” motivated “by profit derived from blocking both good and bad e-mails.” But the court found no factual basis to support plaintiff’s allegations that Yahoo used “cheap and ineffective technologies to avoid the expense of appropriately tracking and eliminating only spam email.”

The court rejected another of plaintiff’s arguments against applying Section 230, namely, that Yahoo should not be afforded blanket immunity for blocking legitimate business emails. Looking to the cases of Goddard v. Google and National Numismatic Certification v. eBay, plaintiff argued that the court should apply the canon of statutory construction known as ejusdem generis to find that legitimate business email should not be treated the same as the more nefarious types of content enumerated in Section 230(c)(2). (Content that is, for example, obscene, lewd, lascivious, filthy, excessively violent, harassing).

On this point the court looked to the sheer volume of the purported spam to conclude Yahoo was within Section 230’s protection to block the messages — plaintiff acknowledged that it sent approximately six million emails per day through Yahoo’s servers and that at least .1% of those emails either were sent to invalid addresses or resulted in user opt-out. On an annual basis, that amounted to more than two million invalid or unwanted emails.

1 2 3