Court Ruling Impacts BYOD

By Rory McNamara

What happens to an employee’s expectation of privacy regarding her personal e-mails on her company-issued Blackberry after she leaves the company?

If a recent ruling by the U.S. District Court for the Northern District of Ohio stands up to further scrutiny, the answer could be that a former employee has greater expectations of privacy after her departure than while she was still employed.

In Lazette v. Kulmatycki, Sandi Lazette alleged that her former employer, Verizon, through her ex-supervisor, Chris Kulmatycki, read some 48,000 of Lazette’s personal Gmail e-mails in the 18 months following her departure from the company.

The court found that Lazette used the Blackberry for work but was also told by her employer that she could access her personal e-mail on the device, which she did. When she returned the phone, Lazette failed to scrub her Gmail account from the device. This allowed Kulmatycki to view and delete personal e-mails from Lazette’s account via the Blackberry.

In shooting down Verizon’s motion to dismiss, the court ruled that the Stored Communications Act (SCA) applies to unauthorized access of employees’ personal e-mail accounts and not just large-scale computer hacking.

According to the court, authorization to view her e-mails was not given by Lazette. Unlike typical employee/employer BYOD arrangements, after her departure, Lazette and Verizon no longer “shared” the device, and Lazette neither knew nor approved of the company’s continued access to the device. As the court states in its ruling, “the mere fact that Kulmatycki used a company-owned blackberry to access (Lazette’s) e-mails does not mean that he acted with authorization when he did so.” Likewise, the court ruled that Lazette’s failure to scrub the phone before returning it to the company did not constitute implied consent to Verizon’s continued access.

The court also made some nitty-gritty determinations regarding the SCA; in particular, Lazette’s Gmail account—rather than the device—was a “facility” for purposes of the law. Such a ruling seeks to negotiate between the outdated statutory language of the SCA and the modern technological realities of multiple servers and devices simultaneously containing and displaying data.

Perhaps most disappointing to Lazette was the court’s conclusion that the SCA’s protections of items in “electronic storage” cover only her unopened e-mails and not those she had already viewed.

Though Kulmatycki’s reading of Lazette’s previously opened e-mails may not violate the SCA, tort remedies are available at the state level.

Interestingly, but perhaps not surprising in the ever-evolving field of privacy law, tort claims exist where statutes are not violated. Instead of statutory infractions providing prima facie or even per se proof of liability, such liability can exist despite the absence of such infractions.

While reserving for the jury whether Kulmatycki’s alleged actions violated Lazette’s reasonable expectations of privacy, the court noted the importance of Verizon’s BYOD policy, asserting “the precise terms of the warning matter.”

Whatever those terms might have been, a jury will likely be charged with determining whether they should have any bearing on employees who have left the company and their devices behind.