Digital Media Lawyer Blog

Digital media law update: Plaintiffs who believe they have been wronged by acts committed by U.S. multinational corporations in foreign countries have long attempted to bring claims against such corporations in the U.S., and based on U.S. law. However, such plaintiffs face many hurdles. Some claims are dismissed for lack of personal jurisdiction over the defendant. Others are dismissed on forum non conveniens grounds, if most of the parties and the evidence are located in the foreign jurisdiction. Others are dismissed because the law invoked by the plaintiffs is deemed not to have effect outside the U.S. Such was the case in Zheng v. Yahoo! - even though at least one defendant was a U.S. resident and some of the relevant acts allegedly occurred in the U.S. See Zheng v. Yahoo!, Inc., N.D. Cal., No. 3:08-cv-01068, Order Granting Defendants' Motion to Dismiss, (Dec. 2., 2009).

The allegations in the complaint would tug at the sympathies of most Americans. The complaint was a putative class action brought by Chinese citizens who were part of a pro-democracy Chinese political group. The plaintiffs alleged that Yahoo!'s Honk Kong affiliate had disclosed their private electronic communications to the People's Republic of China (PRC). As a result of these disclosures, the plaintiffs alleged that they were subjected to prosecution by the PRC government and "suffered physical injuries, emotional distress, detention, arrest, torture, imprisonment, death in custody, seizure of property, and/or fear of returning to the PRC."

The plaintiffs further alleged that "Yahoo!, Inc. exercised functional control and supervision over important aspects of the operations of Yahoo! China" and hence was responsible for Yahoo! Hong Kong's acts.

The complaint brought claims against Yahoo! Hong Kong and Yahoo! under the Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510 et seq. and 2701 et seq.). With a number of exceptions, the ECPA prohibits the interception of electronic communications, and the unauthorized accessing of or the divulging of communications which are in electronic storage. The ECPA also provides a private right of action for violations of its provisions, under which a plaintiff can recover damages, punitive damages and attorneys fees. 18 U.S.C. § 2520, 2707. For more on the ECPA, see our post of August 5, 2009.

The exceptions to the ECPA are important. For example, Section 2701 prohibits an electronic communications service provider from knowingly divulging to any person or entity the contents of a communication while in electronic storage. However, Section 2703 provides that a government agency can require disclosure of the contents of a stored communications if it obtains a warrant or subpoena that qualifies with the ECPA and other U.S. law. Section 2703 also provides that a service provider is immune from criminal or civil penalties if it provides the contents of a stored communication pursuant to such a warrant or subpoena, or pursuant to a court order.

Continue reading "Zheng v. Yahoo!: U.S. Companies Not Subject to U.S. Restrictions on Disclosure of Private Emails if the Disclosure Is Made in a Foreign Country" »

Judge Jean Hamilton's recent order in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting, LLC, E.D. Missouri (October 26, 2009) held that an ex-employee who accesses information on a company-issued laptop for a purpose adverse to the company can be liable under the federal Stored Communications Act (SCA). Judge Hamilton's ruling also suggests that even current employees can be held liable under the SCA as well, if they access information from a laptop for a purpose that violates their duty of loyalty to the company.

This ruling is important, because the SCA provides for criminal penalties, as well civil actions, against offenders. 18 U.S.C. §§ 2701(b), 2707. Tens of millions of U.S. employees are issued company-owned laptops, and countless employees download information from these computers for purposes adverse to their former employer's interests, both during and after leaving the company. Under Judge Hamilton's ruling, many thousands of these employees theoretically stand in jeopardy of federal prison time.

But is Judge Hamilton's ruling right? At least one other recent ruling suggests that the SCA cannot be used in this situation at all. See Thule Towing Systems, LLC v. McNallie, E.D.Mich., No. 2:09-cv-10905, Order (July 15, 2009). Other case law suggests that the SCA only reaches employees who access to emails and other communications stored on company-owned computers has been expressly revoked.

Judge Hamilton's decision was based on SCA Section 2701, which provides that "whoever (1) intentionally accesses without authorization a facility through which an electronics communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such a system shall be punished as provided in subsection (b) of this section." 18 U.S.C. § 2701(a).

Here, Lasco had alleged that the defendants, Shaw and Hall, were long-time Lasco sales executives and had been provided with company laptops for use in company business. In 2008, Shaw and Hall decided to start a competing restaurant food supply. Both before and after Lasco became aware of this new business, but which they were still Lasco employees, the defendants allegedly "accessed, printed, copied and/or downloaded" a substantial amount of data from their laptops, as well as from Lasco's network, for use in their competing business. See Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing & Consulting LLC, E.D.Missouri, No. 4:08-cv-01683, Third Amended Complaint (May 15, 2009).

Using principles of agency laws, Judge Hamilton reasoned as follows:

"While Lasco afforded Defendants access to its computers, networks and information for purposes of their employment, Lasco alleged that Hall and Shaw accessed Lasco's Information to benefit the interests of Defendants, not Lasco. Defendant Hall and Shaw's authorization to access this information ceased when they breached their duty of loyalty to Lasco and their employment terminated" (emphasis added).

Continue reading "Lasco Foods v. Hall and Shaw: Can an Employee Be Liable Under Federal Wiretap Laws for Accessing an Email on a Company Laptop for Purposes Adverse to the Company?" »

Internet privacy law: Lawyers frequently vent their frustration over the widely variant interpretations given to the outdated Electronic Communications Privacy ACT (ECPA) by courts around the country. A recent decision by a court in the Eastern District of Illinois reveals the problems caused by these differences, and also illustrates how thoughtful forum selection and "kitchen sink" pleading can prevent a plaintiff from being deprived of a remedy.

The facts of the case:

The case is Steinbach v. Village of Forest Park, Northern District of Illinois, Case No. 06C4215. The plaintiff, Theresa Steinbach was elected Commissioner of the Village of Forest Park in 2003. Upon her election, the Village provided Ms. Steinbach with a personal email account that was hosted by Hostway Corporation, a third party webmail service. Ms. Steinbach had a Village IT tech configure this email account so that it would forward all email traffic to her personal email account, which was not associated with the Village.

In 2006, Ms. Steinbach ran for mayor against co-defendant Anthony Calderone, but lost. Around this time, she discovered that she was not receiving all of her email in her private account. An investigation revealed that eleven emails she had sent from her personal email account had been forwarded to Calderone.

Ms. Steinbach sued Forest Park under four different legal authorities: (i) ECPA Part I (a/k/a, the Wiretap Act, 18 U.S.C. § 2510 et seq.); (ii) ECPA II (a/k/a, the Stored Communications Act, 18 U.S.C. § 2701 et seq.); (iii) The state common law claim, "intrusion of seclusion," and (iv) CFAA (18 U.S.C. § 1030).

The Court's inconsistent rulings on ECPA Parts I and II are based on a troublesome 7th Circuit position

Parts I and II of the ECPA were enacted as part of the same legislative process and use many of the same terms. For example, ECPA Part I contains a lengthy definition section, which Part II does not bother to repeat. Instead, the definition section for Part II, 18 U.S.C. § 2711, merely provides that the terms used in Part II have the same meanings given in the definition section for Part I, 18 U.S.C. § 2510. Similarly, both sections permit private causes of action for violations of their provisions "from the person or entity which engaged in that violation." See §§ 2520(a); 2707(a).

In apparent disregard of this parallelism, the Court found that the plaintiff did not have a right to bring a cause of action against the Village under ECPA Part I, but permitted her to maintain her cause of action against the Village under ECPA Part II. The Court never explained these inconsistent rulings. Its decision to reject the ECPA Part I claim was based on the fact that this ruling was required by controlling 7th Circuit precedent -- which itself seems to rest on very shaky ground.

Continue reading "Steinbach v. Forest Park: Navigating the Federal Court Splits on the Interpretation of the Electronic Communications Privacy Act (ECPA) to a Remedy" »

As data storage moves from equipment controlled by its authors into the "cloud" -- storage on equipment controlled by third parties -- there is an increased risk that unauthorized third parties will access this data and use it for nefarious purposes. The Stored Communications Act ("SCA", 18 U.S.C. § 2701 et seq.) is widely thought to provide protection from disclosure for emails and other private data that are in such electronic storage. However, a less-known loophole in the SCA can permit stored information to be accessed without the author's permission and then divulged to competitors, to adversaries, to strangers, or to the general public, without liability under the SCA.

The SCA provides that any person who intentionally accesses stored electronic communications without authorization or beyond the scope of his authorization is subject to civil and criminal penalties. 18 U.S.C. § 2701(a), (b). However, there are two important exceptions to this protection:

Even if an author of a communication has not authorized a third party to access that communication, the SCA provides that this unauthorized third party is immune from liability if he/she was authorized to gain access by the provider of the electronic communications service --such as the ISP or the business the operates the network. The SCA further provides that an unauthorized third party is also immune if he/she has been given permission to access the communication by a user of the service on which the communication is stored -- such as a member of a private website, such as a MySpace page.

This means that even if the author has not consented for anyone except for the recipients to access his/her private emails, a lot of people could still be looking at them, copying them and doing whoknowswhatelse to them -- with SCA-immunity.

That sounds bad enough. However, the next section in the SCA -- Section 2702 -- opens the door to unauthorized disclosure even wider.

Continue reading "Will Cloud Computing Create a Thunderstorm?: Loophole Permits Private Emails and other Digital Data Stored by Third Parties to Be Divulged to the Public without Stored Communications Act Liability" »

Employers seeking to discover what their employees are doing and writing on the internet will can find themselves out of the reach of federal wiretap laws (under the Electronic Communications Privacy Act ["ECPA"] and the Stored Communications Act ["SCA"]) so long as they limit their efforts to intercepting and accessing emails and web activity conducted or stored on company-operated networks. Reaching for forbidden apples from the Tree of the Knowledge of Good and Evil -- employee email accounts or websites operated by third-party servers -- can throw them out of this happy garden and into the cursed land of civil liability and even prison time.

First, wiretap law basics: Federal wiretap laws provide different levels of immunity to electronic communications service providers for accessing third-party communications, based on whether the communication is in-progress or "stored." (Fn1) Communications are considered stored regardless of whether the storage is temporary, intermediate, incident to impending transmission or more permanent storage for backup purposes. For example, in Konop v. Hawaiian Airlines, 302 F.3d 868, 874 (9th Cir. 2002), the 9th Circuit held that email messages stored on an electronic bulletin board system, but not yet received by the intended recipients, were stored, not in-progress communications.

In-progress communications, which are governed by the ECPA (18 U.S.C. §§ 2510 et seq.), are subject to a greater level of access restrictions. Stored communications, which are governed by the SCA (18 U.S.C. § 2701 et seq.) are subject to lesser access restrictions. In-progress communications may not be intercepted unless the employer meets one of two exceptions:

Exception 1: The employer provides the electronics communications service and interception is a "necessary incident" to the rendition of the communication service provider's business or "to the protection of the rights or property of the provider of that service." An employer can use the "necessary incident" exception to intercept employee emails or internet communications only if its equipment provides the communications services -- not if it merely has its employees subscribe to a third-party ISP to get email and internet access services. 18 U.S.C. § 2511(2)(a)(1).

Exception 2: The employer is "a party to the communication" or one of the parties to the communication has given prior consent to the interception. 18 U.S.C. § 2511. An employer can use the "consent" exception if it gets express or implied consent. Courts have found that employee consent to interception has been implied where an employer has clearly informed its employees that their communications will be monitored and explained the manner in which the monitoring would be conducted. (Fn2) 18 U.S.C. § 2511(c). To be safe, put your monitoring policy in the employee handbook -- and get the employees to sign a consent form.

Stored communications may not be accessed if the employer intentionally accesses or exceeds his authority to access the facility through which the electronic communications service is provided. 18 U.S.C. § 2701(a). However, there are big exceptions to this rule:

Continue reading "Employer Access of Employee Digital Communications and Federal Wiretap Laws: It's Easier to Be Found Immune if the Communications Reside on Your Servers" »

Now that the new FCC commissioners are in place, the FCC is getting down to the task of working on a new broadband plan. As would be expected, this is renewing the debate over the place of ISP-level filtering, or "surveillance", as some prefer to call it. See, e.g., http://www.publicknowledge.org/node/2568 On one hand, ISP-level filtering creates the potential for a solution to the massive loss of revenues that illegal file-sharing costs copyright holders. On the other hand, ISP-level filtering would doubtlessly be over-inclusive and prevent many fair uses of copyrighted material.

Regardless of the side of the debate you are on, it is critical to determine whether ISP-filtering is permissible under U.S. law. ISP-level filtering involves examining some portion of the header or contents of information packets passing through an ISP. The primary legal hurdles to such inspection are federal and state wiretapping laws.

Under the federal Electronics Communication Privacy Act (ECPA), it is unlawful to intentionally intercept electronic communications. 18 U.S.C. § 2511. However, there are a number of exceptions for ISPs. The most important of these include (i) interceptions that are "a necessary incident to the rendition of [the ISP's] service or to the protection of the rights or property of the provider of that service" and (ii) interceptions where "one of the parties to the communication has given prior consent to such interception." While both of these exceptions hold promise for those in favor of using ISP-filtering, both present practical problems.

Continue reading "Internet Service Provider-Level Filtering for Copyrighted Materials and Federal Wiretap Laws" »