Introduction
Your email account has been hacked. Sensitive business communications, documents, spreadsheets, strategic business plans, and personal emails are now vulnerable to misuse and widespread dissemination. If you identify the culprit, what remedies are available to you? A federal statute, known as the Electronic Communications Privacy Act of 1986 ("ECPA"), might be useful to both criminally prosecute and civilly sue the hacker. Specifically, the Stored Communications Act ("SCA"), Title II of the ECPA, may assist you and law enforcement in bringing the hacker to justice. However, as we will discuss, because of ambiguities in the SCA, the measure of civil damages is unclear.
Stored Communications Act
The SCA provides for criminal and civil penalties for hacking into email servers. Under the SCA, it is a federal crime to "intentionally access[] without authorization a facility through which an electronic communication service is provided" or "intentionally exceed[] an authorization to access that facility," and by doing so "obtain[], alter[], or prevent[] authorized access to a wire or electronic communication while it is in electronic storage in such system."1 Thus, a hacker can be prosecuted for accessing, without authorization, emails on a server. In addition to the criminal provisions of the Act, the statute makes available a civil remedy for such violations. The SCA provides that a "court may assess as damages in a civil action . . . the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000."2 Thus, the statutory minimum is $1,000 per violation. Punitive damages are available if the violation is willful or intentional.3 To complete the panoply of remedies, the statute also authorizes an award of attorney's fees.4
The ECPA is the exclusive non-constitutional federal remedy available to plaintiffs.5 Although the ECPA preempts federal claims unrelated to the Constitution, one court has found that the Act does not preempt state law.6 It determined that Congress intended for the ECPA to set a floor for electronic protection and that states are free to provide for stronger protection than that offered at the federal level.7 Several states have adopted civil remedies similar to those found in the SCA.8
Statutory Damages
An important issue involves the amount of damages available under the SCA. Some of the statute's ambiguity results from the fact that email was not prevalent in 1986 when Congress enacted the legislation. First, although the SCA sets a damages floor of $1,000 per violation, it does not define "violation." Some courts have found that each individual hacked email message constitutes a separate violation.9 Others have held that each log-in to an account is a separate violation.10 Yet others have found that multiple log-ins within a short time-span can be combined and considered to be a single violation.11 Depending on a court's interpretation of the statute, the minimum civil remedy available could range from $1,000 to $1,000 multiplied by the number of emails accessed. Second, it is unclear whether the SCA mandates that a plaintiff prove "actual" damages as a prerequisite to any recovery. Proving actual damages, and not simply the intrusion into an email account, may pose difficulties to some plaintiffs. For instance, if the emails were of a personal nature, it may be difficult to prove actual damages. Proving actual damages may also add to litigation costs; a plaintiff may need to hire an economic expert. Third, one court has held that the SCA is inapplicable to emails which have already been opened;12 but other courts have not applied such a restriction. The lack of clarity in the SCA in these various areas may dissuade some victims from pursuing a cause of action for email intrusions. The ambiguous state of the law is illustrated by the discussion below.
Damages Per Message or Per Log-in?
Damages are a minimum of $1,000 per violation, but the SCA does not define "violation," and courts have interpreted the term differently. At least one court has recognized that each email accessed may be a separate violation. In Van Alstyne v. Electronic Scriptorium, Ltd. ,13 a former employee discovered that her employer's president accessed her personal email accounts without her permission both during her employment and one-year after her separation. Under the SCA, the jury awarded the plaintiff $150,000 in statutory damages and $75,000 in punitive damages. The jury arrived at the compensatory damage award by multiplying the statutory minimum award of $1,000 by the number of violations. The district court also awarded $135,723.56 in legal fees to the plaintiff.
Other case law suggests that the number of violations is not determined by the number of email messages accessed, but rather by the number of times that a person logs into a website without authorization. In Cedar Hill Associates, Inc. v. Paget ,14 the plaintiff-employers sued a former employee for accessing 1,098 of their email messages without authorization. The court concluded that "the ECPA provides that plaintiffs would be entitled to recover a minimum of $1,000, and if the violation was willful or intentional, the Court may assess punitive damages."15 From this language, it appears that the court treated the act of accessing 1,098 emails without authorization as only one violation. Another court ruled that it is the number of log-ins and not the number of affected email messages that triggers the number of violations. In Steve Jackson Games, Inc. v. U.S. Secret Service ,16 the Secret Service seized 162 unread, private emails from the plaintiffs. The district court awarded the statutory damage minimum of $1,000, but no more, to each plaintiff. It also awarded $195,000 in attorney's fees and $57,000 in costs. In Pietrylo v. Hillstone Restaurant Group ,17 the defendant employer accessed a chat group on the popular social-networking site, MySpace.com, on five separate occasions without permission. The court awarded the two plaintiffs $2,500 and $903, respectively, in compensatory damages, which was capped by stipulation.
Yet another court has opined that multiple log-ins made within a short period of time should be constructively combined to be considered as one log-in. In Konop v. Hawaiian Airlines, Inc. ,18 the victim was a former pilot of Hawaiian Airlines who created a website where he posted bulletins on work-related matters. The pilot restricted access to the website using user names and passwords. A Hawaiian Airlines vice president was concerned that the pilot used the website as a forum for untruthful allegations. He surreptitiously logged onto the website at least 36 separate times by using the log-in credentials of two Hawaiian Airlines pilots. The bankruptcy court capped the pilot's damages at $1,000, but the district court held that it erred in capping the damages so low. The district court, however, would not award $1,000 for each of the 36 log-ins. In remanding the case to the bankruptcy court, the district court stated that "if [Hawaiian Airlines] logged into [the pilot's] website several times in short succession, it might be appropriate to aggregate those intrusions if they functionally constituted a single visit to the website."19
Are Actual Damages Required?
Besides the differences in opinion regarding what constitutes a "violation," courts disagree about whether proving actual damages is a prerequisite to recovery under the SCA. The statute itself states that courts may award "the sum of actual damages suffered . . . but in no case shall a person entitled to recover receive less than . . . $1,000."20 In Cedar Hill Associates , described above, the court held that the plaintiff was not required to prove actual damages. The court read the statute to say that proving actual damages is not a prerequisite to receiving statutory damages. A plaintiff must simply prove that the defendant "intentionally access[ed] without authorization a facility through which an electronic communication service is provided."21
In contrast, the Fourth Circuit in Van Alstyne held that the plaintiff must prove actual damages before receiving the statutory damage award. It compared the SCA's civil damages provision to that in the federal Privacy Act, where the Supreme Court has limited the award to "actual damages suffered."22 The panel noted that the SCA and Privacy Act both contain the phrase, "but in no case shall a person entitled to recover receive less than the sum of $1,000."23 Because the SCA and the Privacy Act contain nearly identical language, the Fourth Circuit held that a plaintiff must prove actual damages before being entitled to statutory damages. Because "actual" damages might entail loss to one's business or reputation, requiring proof of actual damages would have a large impact on whether a plaintiff can successfully be awarded any damages. It would also affect the way plaintiff must try its case and the expenses thereof, because experts will likely be needed to prove actual damages.
"Opened" Emails
One district court held that the SCA does not apply to emails that were already opened by the authorized user. In Bansal v. Russ ,24 the plaintiff claimed that the Assistant United States Attorneys and various federal agents violated his rights under the SCA because, among other things, they obtained "opened" emails. In this case, the government searched the plaintiff's university email account without a warrant. The district court opined that the SCA would be of no avail because the "Stored Communications Act . . . does not prohibit . . . obtaining 'opened' emails. . . ."25 Unfortunately, the district court did not explain how it came to this conclusion. Other courts, such as the Ninth Circuit in Theofel v. Farey-Jones , have held that messages which remain on the server after being read by the recipient are still covered by the SCA.26 The Ninth Circuit found it immaterial whether the recipient had read the message; what was determinative was whether the message was still stored on a server. Thus, a particular court's interpretation of whether "opened" emails are covered by the Act may affect a plaintiff's damage calculation.
Conclusion
In today's email-driven world, the ambiguity of this law is surprising and unfortunate. It is time for Congress to provide a clear and predictable damages remedy for the unlawful accessing of email. The SCA, enacted as part of the ECPA in 1986, is an out-dated piece of legislation which did not envision the unique characteristics of emails. The legislation is difficult to apply because it is silent as to the definition of a "violation." Some courts have found each intrusion into a separate email to be a separate violation. Others have found each unauthorized log-in to a website to be a separate violation. And still other courts have held that multiple log-ins made within a short period of time could be combined and considered as one violation. Congress should clarify what it intends by a "violation." Congress should also clarify whether a victim of email hacking must prove actual damages as a prerequisite to receiving a statutory damage award. Such damages may be difficult to prove, especially in dealing with personal emails of a non-economic nature. Future legislation should provide for clearer guidelines with strong civil penalties. Future legislation should provide for clearer guidelines with strong civil penalties.It would deter hackers from accessing emails without authorization and would provide a more predictable measure of damages for victims of such conduct.1 18 U.S.C. § 2701(a)(1-2). Subsection a does not apply to a "person or entity providing a wire or electronic communications service." § 2701(c)(1).
2 § 2707(c).
3 Id .
4 Id .
5 See 18 U.S.C. § 2708.
6 See generally, Lane v. CBS Broad., Inc., 612 F. Supp. 2d 623 (E.D. Pa. 2009).
7 See, e.g., Haw. Rev. Stat. Ann . § 803-48 (LexisNexis 2007)(providing for 1) actual damages and profits, 2) $100 per day of violation, or 3) $10,000).
8 See Del. Code Ann . tit. 11, § 2427 (2009); Fla. Stat. Ann. § 934.27 (LexisNexis 2007); Md. Code Ann., Cts. & Jud. Proc. § 10-4A-08 (LexisNexis 2007); Minn. Stat. Ann. § 626A.32 (West 2003); N.J. Stat. Ann . § 2A:156A-32 (West 1985 & Supp. 2008); Pa. Cons. Stat. § 5747 (2009); Utah Code Ann. § 77-23b-8 (2009).
9 See Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199 (4th Cir. 2009).
10 See Steve Jackson Games, Inc. v. U.S. Secret Serv . , 36 F.3d 457 (5th Cir. 1994); Cedar Hill Assocs., Inc. v. Paget, Civ. No. 04-0557, 2005 U.S. Dist. LEXIS 32533 (N.D. Ill. Dec. 9, 2005).
11 Konop v. Haw. Airlines, Inc . , 355 B.R. 225 (D. Haw. 2006).
12 Bansal v. Russ, 513 F. Supp. 2d 264 (E.D. Pa. 2007).
13 Van Alstyne , 560 F.3d 199.
14 Cedar Hill Assocs., 2005 U.S. Dist. LEXIS 32533.
15 Id. at *7-8.
16 Steve Jackson Games, Inc. v. U.S. Secret Serv . , 36 F.3d 457 (5th Cir. 1994).
17 Pietrylo v. Hillstone Rest. Group, Civ. No. 06-5754, 2009 WL 3128420 (D.N.J. Sept. 25, 2009).
18 Konop v. Haw. Airlines, Inc., 355 B.R. 225 (D. Haw. 2006).
19 Id. at 232.
20 18 U.S.C. § 2707(c).
21 Cedar Hill Assocs., Inc. v. Paget, 2005 U.S. Dist. LEXIS 32533, at *7 (quoting 18 U.S.C. § 2701(a)(1)).
22 Van Alstyne v. Elec. Scriptorium, Ltd . , 560 F.3d 199, 205 (quoting Doe v. Chao, 540 U.S. 614, 620 (2004)).
23 Id.
24 Bansal v. Russ, 513 F. Supp. 2d 264 (E.D. Pa. 2007).
25 Id. at 276.
26 Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2003).
Published December 1, 2009.