News & Events

Exceeding Scope Of Authorized Use Of Password Violates Stored Communications Act

In happier times, your business partner gave you the password to his personal email account so you could access business documents stored there.  Years later, after your relationship soured, you used the password to access his emails again.  According to a federal court in Massachusetts, you may be liable for statutory and punitive damages for violating the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701-2712.

In Cheng v. Romo, 2013 U.S. Dist. LEXIS 179727 (D. Mass. Dec. 20, 2013), the United States District Court for the District of Massachusetts concluded that previously opened emails stored only on the server of a web-based email system (i.e. Yahoo!) constitute “backups” and, thus, meet the definition of “electronic storage” under the SCA.  A jury had already concluded that Romo intentionally exceeded the scope of her authorization by accessing the emails and awarded Cheng $325,000 in damages.  Romo argued in a motion for judgment as a matter of law that because the emails were stored in only one location – Yahoo!’s server – they were not being stored for “purposes of backup protection” under the SCA’s definition of “electronic storage.”  Cheng at *8.  The Court rejected this argument, noting that another copy was created by virtue of the text of the emails being transmitted to her Internet browser when she accessed them.  Id.  The Court also found that Romo was straining to interpret the SCA in her favor, noting that “the clear intent of the SCA was to protect a form of communications in which the citizenry clearly has a strong reasonable expectation of privacy.”  Id. at *14.

The holding does very little to clear up an increasingly muddy area of the law.  Notably, the Court in Cheng had to parse through and distinguish a number of conflicting opinions from other jurisdictions.  See, e.g., Jennings v. Jennings, 736 S.E.2d 242, 245 (S.C. 2012) (“We decline to hold that retaining an opened e[-]mail [on the server of a web-based email system] constitutes storing it for backup protection under the Act.”).  Many commentators attribute the conflicting interpretations to the difficulty in applying the aging SCA (enacted in the 1985) to emerging technologies.  Unless the SCA is updated (or information technology stops evolving), it’s safe to expect continued uncertainty.

Michael C. McCabe, Jr.