Unauthorized Access to Email Accounts
Unauthorized access into email accounts creates criminal and civil liability and has become a growing point of concern after many recent high profile hacking incidents. According to the National Conference of State Legislatures, unauthorized access includes, “approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent.” What constitutes unauthorized access is being clarified as cases come before the courts.
Two federal acts, the Electronic Communications Privacy Act (“ECPA”) and Stored Communications Act (“SCA”) regulate unauthorized access to electronic information. The ECPA prohibits the interception, usage, or disclosure of any wire or oral communication by using an electronic device, including unauthorized access to a wired or stored email. Interpreting violations of the ECPA raises the issues of implied consent versus the need for explicit consent. The SCA protects the storage of electronic information and makes it possible to recover damages for changes made or harm done due to unauthorized access. This includes nearly all information in the “Cloud” that is no longer in transit from sender to recipient (e.g., stored e-mails). There are certain exceptions for law enforcement access and user consent. For example, employers are generally forbidden from accessing employee’s private e-mails, but may have the right if consent is given in an employment contract explicitly authorizing access.
Unauthorized access of email accounts, due to the breadth of information held within the facility, brings serious consequences. For example, the victim may seek both civil and criminal penalties (e.g., 5 years imprisonment and $250,000 in sanctions). The courts may also treat social media websites (e.g., Facebook, Twitter, MySpace) as communication service providers since messages are transmitted and stored within their databases. Information obtained through unauthorized access cannot be used in court and may also entail civil and/or criminal liability.
The California Penal Code, Section 502, prohibits unauthorized access of computers, computer data, and computer systems. The penalties for violating this statute can be a fine of up to $10,000 and/or three years in jail per count. An individual who owns the computer or data may also sue the violator in civil court. In the past six months, both Facebook (Facebook, Inc. v. Grunin) and Uber Technologies, Inc. (Uber Technologies, Inc. v. Doe) have brought claims against hackers trying to either access their customer information or who continue to access their website after authorization was revoked and blocking measures were implemented therein. Also, companies may use encryption, password protection, and firewalls as methods of avoiding unauthorized access to email accounts.
For more information about your legal rights, you should consult with an attorney. At our law firm, we assist clients in online privacy and cybersecurity related matters.