Your client sued a competitor who is also the new employer of your client’s former employee. You suspect before the employee left, he sent your client’s proprietary information to his personal Gmail account. In discovery you request the Gmail messages, but none are produced. Undeterred, and, observing your ethical duty of zealous representation, you fire off a subpoena to Google for copies of the messages.
Bad news. Google ain’t gonna give ’em to you either. The Stored Communication Act (SCA) prevents Google and other email service providers from providing the content of email messages.
The SCA, enacted in 1986 and found at 18 U.S.C. 2701, et seq., protects against potential privacy breaches not addressed by the Fourth Amendment. Specifically, it prohibits “electronic communication service providers” and “remote computing service providers” from disclosing the content of electronic communications in response to civil subpoenas (and otherwise).
As defined by the SCA, the “’content” of wire, oral, and electronic communications is “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. 2711(1) & 18 U.S.C. 2510(8).
The Account User Has Standing to Challenge Subpoena
“OK, fine,” you think to yourself. Under the SCA Google is not supposed produce contents of email, but the employee moved to quash the subpoena not Google. You will just argue that because you served the subpoena on Google and not the employee, he has no standing to challenge a subpoena on Google.
Don’t bother. That’s a non-starter.
As explained in Leonardo World Corp. v. Pegasus Solutions, Inc., 5:15-mc-80165 (N.D. Cal. Sept. 24, 2015), the employee “has standing to move to quash [because] any individual with a personal rights and privileges with regard to personal email has standing to request an order quashing an third party subpoena.” See also Allstate Insurance Co. v. Lighthouse Law P.S., Case No. C15-1976RSL (W.D. Wash. Feb. 7, 2017)(holding that a party has standing to quash a subpoena issued to a third party where the party challenging the subpoena asserts a legitimate privacy interest in the material sought.)
Identification of Messages Based on Search Terms Divulges “Content” Under SCA
Ever resolute, after your first subpoena is quashed, you serve another seeking only dates, recipients and subject lines of messages containing certain keywords. You figure that the court surely will agree you are not seeking the content of the messages.
The courts are a step ahead of you.
The court rejected a similar request in Optiver Australia PTY., Ltd. v. Tibra Trading PTY, Ltd., Case No. 12-80242 (N.D. Cal. Jan 23, 2013), a case in involving a subpoena to Google seeking “documents sufficient to identify” recipients and sending, reading and deletion dates of messages containing specified search terms. That opinion noted that “[t]he SCA prohibits any knowing disclosure . . . of the content of electronic communications, no matter how insignificant” and refused to enforce the subpoena because the requested information would necessarily reveal that the contents of the emails contained the search terms.
Similarly, the Optiver decision also denied a request for subject lines of messages: “It is clear from the purpose and the nature of the subject line that it is ‘content’ protected by the SCA . . . In fact, a message’s subject line is nothing less than a pithy summary of the message’s content.”
Using Saved Login Information to Access Employee’s Personal Email Account May Violate SCA
After a forensic examination of your former employee’s company issued computer, you notice that not only did he access his personal email account on his work computer, he also saved his personal email username and password to the device. Your company’s employee handbook clearly states that work done on company devices may be monitored, so you figure you can just use his login info and take a look at the email in his personal account.
Be careful. Courts do not like that either.
In At Last Sportswear, Inc. v. Fishman, 2016 NY Slip Op 31239 (N.Y. Sup. Ct. 2016), the court rejected that idea. Following a similar case, the court noted that if a company’s computer policy makes it clear that the company may monitor the employee’s computer, the employee has no expectation of privacy as to the workplace computer. However, the court concluded that such language would not also permit the company to access the employee’s personal email account because personal e-mails are probably not stored on company equipment, and the company has no business relationship to those accounts. The court also rejected argument that saving a username and password on a work computer constituted authorization.
Private Messaging on Social Media Also Protected
Resigning yourself to the fact that web based email service providers will not turn over contents of email messages, you set your sights on private messages sent via social media.
Another dead end.
Private messages on social networks are also protected from disclosure in response to civil subpoena. For instance, in Crispin v. Christian Audiger, Inc., 717 F. Supp. 2d 965 (C.D. Cal. 2010), the court refused to order the production of private messages sent via Facebook or MySpace noting that there is “no basis for distinguishing between [social media] private messaging . . . and traditional web-based email . . . .”
Some Metadata Not “Content” Under SCA and May be Produced
All is not lost. Under the SCA, some metadata associated with electronic communications is not considered “content.” Systems Products & Solutions v. Scamlin, Case No. 13-CV-14947 (E.D. Mich. Aug. 8 2014). For instance, a subpoena may be permissible under the SCA if it seeks only user information for specific emails or accounts. Obodai v. Indeed, Inc., Case No. 13-80027-MISC (N.D. Cal. March 21, 2003). Similarly, email service providers may identify IP addresses from which email accounts have been accessed. Sams v. Yahoo!, Inc., CV-10-5897 (N.D. Cal. May 16, 2011).
Consent to Subpoena May Not Be Enough
What happens if the employee consents to the subpoena served on his private email service provider? Maybe nothing.
In PPG Industries, Inc. v. Jiangsue Tie Mao Glass, Co. Ltd., Case No. 2:14-cv-965 (W.D. Pa. July 21, 2017) PPG sued a former employee for theft of trade secrets. The employee passed away and the employer obtained consent from the employee’s executor to subpoena email from personal email accounts with Google, Microsoft and Yahoo. Despite the executor’s consent, the email service providers refused to provide the requested email.
PPG took up the issue with the court and argued that the SCA permits email service providers to disclose the content of email when they have “the lawful consent of the originator [of the electronic communication] or an addressee or intended recipient of such communication.” 18 U.S.C. sec. 2702(b)(3).
The court rejected PPG’s argument noting that there is no exception in the SCA for civil subpoenas and, even if there were, the statute says only that the service providers “may” provide the requested communications if lawful consent is given. The court also pointed out that, regardless, Yahoo was not obligated to turn over the employee’s personal email because Yahoo’s terms of service had a “No Right of Suvivorship and Non-Transferability” clause.
If Account User is a Party, They Must Produce Email Messages In Under Rule 34.
But remember, if you sued the employee too, he is obligated to produce relevant email messages in his possession, custody and control. See e.g. Lucas v. Jolin, Case No. 1:15-cv-108 (S.D. Ohio May 16, 2016), Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008) (noting that while the SCA may prohibit production of email contents via third party subpoena, parties are obligated to produce such information in their possession and custody and control if sought via a proper document request served pursuant to Fed. R. Civ. P. 34).