Opinion
Civil Action No. 11-10007-DJC
11-28-2012
MEMORANDUM AND ORDER
CASPER, J.
I. Introduction
Plaintiff David Cheng ("Cheng") has filed suit against Defendant Laura Romo ("Romo") alleging a violation of the Stored Communications Act, 18 U.S.C. § 2701, et seq. ("Count I"), and an invasion of privacy in violation of Mass. Gen. L. c. 214, § 1B ("Count II"). Romo has moved for summary judgment on both counts. For the reasons stated below, Romo's motion for summary judgment is DENIED.
II. Burden of Proof and Standard of Review
The Court grants summary judgment where there is no genuine dispute as to any material fact and the undisputed facts show that the moving party is entitled to judgment as a matter of law. Fed. R. Civ. P. 56(a). The Court "view[s] the record in the light most favorable to the nonmovant, drawing reasonable inferences in his favor." Noonan v. Staples, Inc. , 556 F.3d 20, 25 (1st Cir. 2009). "Where, as here, the nonmovant bears the burden of proof on the dispositive issue, [he] must point to 'competent evidence' and 'specific facts' to stave off summary judgment." Tropigas de P.R., Inc. v. Certain Underwriters at Lloyd's of London, 637 F.3d 53, 56 (1st Cir. 2011) (quoting McCarthy v. Nw. Airlines, Inc., 56 F.3d 313, 315 (1st Cir.1995)). That is, the non-movant "must come forward with evidence sufficient for a 'a fair-minded jury [to] return a verdict' in his favor." Soto-Padro v. Pub. Bldgs. Auth., 675 F.3d 1, 5 (1st Cir. 2012).
III. Background
A. Factual Background & Procedural History
The Court determines the following undisputed facts from the record. Cheng and Romo are both radiologists. ¶¶ 1, 4. Romo was one of Cheng's instructors when Cheng was a student at Brigham & Women's Hospital in Boston. ¶ 5; Cheng Depo., D. 20 Exh. 2 at 12:1-8. Both Cheng and Romo were hired in 2000 to work for Advanced Radiology, Inc. ("Advanced"), a Rhode Island corporation and medical practice that provides various medical imaging services. ¶¶ 2-4. Advanced hired Romo's husband, John Romo, in 2001. ¶ 43.
Except where noted, paragraph references correspond to the numbered paragraphs in Romo's Statement of Undisputed Material Facts, D. 20 Exh. 3.
References in this memorandum to defendant Laura Romo will be stated as "Romo." References to her husband will be stated as "John Romo."
Advanced did not issue email accounts to its employees. ¶ 9. Instead, Advanced's employees created and maintained their own email accounts. ¶ 10; D. 27 ¶ 10. When Cheng joined Advanced in 2000, he opened a Yahoo! email account because he no longer had an email account with his old employer. ¶ 11-14; D. 27 ¶ 14. At his deposition, Cheng testified that his Yahoo! account was for his "personal use." D. 20 Exh. 2 at 18:15-20. In or around July, 2000, Cheng gave Romo the password to his Yahoo! email account. ¶ 23; D. 20 Exh. 2 at 20:16-25. Although Cheng never "qualified" Romo's access to his email account in any way, id. at 23:4-12, never stated any time limit on his grant of account access to Romo, id. at 23:24-24:7 and never changed his password during the relevant time, id. at 25:4-12, Cheng's intended purpose for sharing the email accounts was for "reviewing images in connection with [their] work at Advanced Radiology." Id. at 21:1-9. Cheng testified that he relayed the password to Romo via telephone while Cheng was away from the computer so that Romo could "sign in and read a consult e-mail." Id. at 22:19-24.
When asked at her deposition why Cheng had given Romo his password, Romo explained that "[w]e had a radiologist who would do consults for us [and] he would e-mail us with what his impressions were of certain cases that we had questions about." Romo Depo. of Nov. 23, 2010, D. 28 Exh. 2 at 32:18-25. Romo explained that it would be an "unusual occurrence" for her to need to go into Cheng's account, and that "[m]aybe ten times a year [she] would be going into [Cheng's] personal e-mail to review a consultant's report" and that she never looked at anything else other than consultant's reports. Id. at 34:7-25. Romo also testified that she did not access Cheng's email account in 2005, 2006, or for most of 2007. Id. at 25:5-23. Romo later testified that she could not remember accessing Cheng's email account between 2002 and 2007, and agreed that before 2007 "at some point in time the need to have access to [Cheng's] personal account came to an end." Id. at 35:22-25, 37:3-8.
Over time, Romo's relationship with Cheng and other shareholders at Advanced deteriorated. ¶¶ 43-55. In 2008, Romo and her husband "ceased to be employees of Advanced." ¶ 55. Romo filed a lawsuit in Rhode Island Superior Court in 2008 against Advanced and one of its shareholders. ¶ 56. John Romo similarly filed his own lawsuit in Rhode Island Superior Court in 2009 against Advanced and one of its shareholders. ¶ 88.
Before the Romos began their Rhode Island state court litigation, in the fall of 2007 and continuing sometime until after May 20, 2008, Romo accessed Cheng's Yahoo! email account and read a number of Cheng's emails. ¶¶ 72-73. Romo gave different reasons in her testimony as to why she accessed Cheng's emails, including that she sought information that she thought was being withheld by others in the company, D. 28 Exh. 2 at 20:6-13, that she wanted to investigate disciplinary actions that had been taken against her husband, id. at 17:8-25, and that she wanted to gather information about Advanced's billing practices, Romo Depo. of Nov. 30, 2010, D. 28 Exh. 5 at 242:7-14. Romo printed at least ten of the emails that she read and gave these emails to her husband. ¶¶ 86-87. Some of these emails contain personal content. ¶¶ 74-77. John Romo produced these emails in October, 2010 as part of his lawsuit in Rhode Island Superior Court. ¶ 88.
Romo used her son's computer when she accessed Cheng's email account in the fall of 2007. D. 28 Exh. 5 at 236:5-11. She testified that she used her son's computer because "I didn't want to use my computer. Again, I was very uncomfortable, and this was kind of a desperate attempt on my part to figure out . . . what was going on [in the company]." Id. Romo testified that the only time she used her son's computer was when she wanted to look at Cheng's emails. Id. at 238:1-8. She testified four times that she was either "uncomfortable" or "very uncomfortabl[e]" accessing Cheng's email account. D. 28 Exh. 2 at 17:23-24, 24:6-7; D. 28 Exh. 5 at 236:7-8, 238:9-11. Romo testified that she "didn't want to stay in [Cheng's email account] too long." Romo Depo. of Oct. 25, 2011, D. 28 Exh. 4 at 42:4-14. She did not tell anyone but her husband that she was accessing Cheng's emails in 2007 and 2008. D. 28 Exh. 2 at 27:1-4. Still, she testified that she didn't think it was "wrong" to access Cheng's emails "because he had given me his password." D. 28 Exh. 5 at 238:12-21.
On January 1, 2011, Cheng filed this lawsuit against Romo alleging a violation of the Stored Communications Act, 18 U.S.C. § 2701, et seq. ("Count I"), and violation of Cheng's right of privacy in violation of Mass. Gen. L. c. 214, § 1B ("Count II"). D. 1 ¶¶ 21-32. Discovery ended on March 20, 2012. See ECF Order of October 25, 2011. On April 25, 2012, Romo moved for summary judgment on both counts. D. 20.
V. Discussion
A. Romo is Not Entitled to Summary Judgment as to 18 U.S.C. § 2701 et seq.
Section 2701 of the Stored Communications Act ("SCA") states:
Except as provided in subsection (c) of this section whoever--18 U.S.C. § 2701(a). Subsection (c) provides that subsection (a), quoted above, "does not apply with respect to conduct authorized -- (1) by the person or entity providing a wire or electronic communications service; [or] (2) by a user of that service with respect to a communication of or intended for that user . . . ." 18 U.S.C. § 2701(c). The SCA creates a civil cause of action available to "any provider of electronic communication service, subscriber, or other person aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind." 18 U.S.C. § 2707; see also Thayer Corp. v. Reed, No. 10-cv-423-JAW, 2011 WL 2682723 at *7 (D. Me. July 11, 2011).
(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or
(2) intentionally exceeds an authorization to access that facility;
and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished . . . .
Since the Electronic Communications Privacy Act of 1986 established the SCA, see Pub. L. No. 99-508, § 201, 100 Stat. 1848 (1986), courts have struggled with what it means for a person to "access without authorization" and "exceed[] an authorization to access" a facility. See Orin Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1208, 1240 (2004) (opining that "[c]ourts, legislators, and even legal scholars have had a very hard time making sense of the SCA. . . . [I]ts vague language has needlessly confused the courts, which have tried to use § 2701 in civil cases to do far more than the SCA's drafters ever intended").
The First Circuit has not squarely addressed the meaning of authorization in the context of the SCA, but has discussed an analogous provision under the linguistically similar Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the "CFAA"). In EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 62 (1st Cir. 2003), a travel company used automatic "scraping" software to download price information from a competitor's public web site. The court had to address the applicable test to determine if and when automated access of the public resource could "exceed authorized access." Id. The court rejected a test based on "reasonable expectations" of use where there was no "common understanding underpinning the notion" of whether access to the public web site was reasonable. Id. at 63. Zefer does not compel any outcome here, where that case involved use of a web site that was inherently public, and this case, by contrast, involved use of an email account that is inherently private. Here also there is evidence of the actual understanding by Romo as to what she could access, apparent through her repeated testimony of how uncomfortable she was in accessing Cheng's email, and how her access was a "desperate" attempt to obtain information. Finally, the fact that Cheng did not set an explicit limit on access is not dispositive, where Zefer recognized that "lack of authorization may be implicit, rather than explicit." Id.
Section § 1030(a)(2)(C) of the CFAA provides that: "[whoever] intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication [shall be punished]." Courts have noted the similarity of these statutes and have considered the similar language of the two statutes together. See, e.g., Penrose Computer Marketgroup, Inc. v. Camin, 682 F. Supp. 2d 202, 211 (N.D.N.Y. 2010) (noting that "although Congress did not define the phrase 'without authorization' in either the [SCA] or the CFAA, it did provide a statutory definition for the phrase 'exceeds authorized access' in the CFAA. The term 'exceeds authorized access' means 'to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter'") (quoting Int'l Ass'n of Machinists and Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 498 (D. Md. 2005)); Lasco Foods, Inc. v. Hall and Shaw Sales, Mktg., & Consulting, LLC,600 F. Supp. 2d 1045, 1053 (E.D. Mo. 2009) (noting that the requirement under the CFAA is "similar to the requirement in [SCA]").
Other district courts within this Circuit have addressed "access without authorization" and "exceeding authorization" in considering the analogous provision of the CFAA. In Guest-Tek Interactive Entm't, Inc. v. Pullen, 665 F. Supp. 2d 42, 45-46 (D. Mass. 2009), to determine if a person's access was "without authorization" or in excess of his authorization, the court allowed an inquiry into the manner in which information obtained was later used. In Nucor Steel Marion, Inc. v. Mauer, No, 10-cv-327-SM, 2010 WL 5092774 at *5 (D.N.H. Dec. 7, 2010), the court noted that a person who is "entitled to obtain the information at issue [and does not go] beyond that which he was entitled to obtain" does not run afoul of the unauthorized access provisions of the CFAA. In Wentworth-Douglass Hosp. v. Young & Novis Profl Ass'n, No. 10-cv-120-SM, 2012 WL 2522963 at *4 (D.N.H. June 29, 2012), the district court distinguished between a person who violates a computer use policy, as opposed to a person who violates computer access restrictions. In that case, the court ruled that a doctor who used his own password to access a computer system in a way proscribed by policy, but not blocked technically, was not violating the CFAA. In contrast, the court found that a different doctor who used his wife's password to access a computer system had gained unauthorized access and thus had "circumvented the [technical] access restrictions." Id.
The litigants here point to a number of cases outside of this Circuit that have considered the question of access and authorization within the SCA, D. 20 at 11-12, 15-25 & D. 26 at 9-17 & 19-21, and cases cited. The Court has reviewed these cases, and notes that they are representative of courts' varying approaches to defining access and authorization in terms of technical restriction, contract or policy, and/or reasonable expectation, and that there appears to be no clear consensus as to how the language is to be interpreted.
Here, there is a disputed issue of material fact for the factfinder to resolve as to whether Romo was authorized to access Cheng's account. The fact that Cheng had given Romo his password years earlier is not determinative, given the context in which such password was given and the later use that Romo made of it. From Romo's own testimony it seems clear that a material issue of fact exists as to whether Romo herself believed whether she was authorized or whether a factfinder could reach the same conclusion. The Court finds instructive Judge Kozinki's reasoning when he interpreted the authorization language of the SCA in terms of common law trespass: "Permission to access a stored communication does not constitute valid authorization if it would not defeat a trespass claim in analogous circumstances." Theofel v. Farey-Jones, 359 F.3d 1066, 1073 (9th Cir. 2004); see also Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199, 208 (4th Cir. 2009) (finding "no need to opine on the precise common law analogue for the SCA" but noting that "trespass to chattel . . . more closely mirrors the SCA [than trespass to land]"). Here, a factfinder will necessarily need to look to the circumstances in which the password was given to determine whether Romo was authorized, or exceeded her authorization, to access Cheng's email.
The analogy to trespass is not perfect, where for example under Massachusetts law trespass does not require the "knowing or intentional" violation required by 18 U.S.C. § 2707, see, e.g., United Elec. Light Co. v. Deliso Const. Co., 315 Mass. 313, 318 (1943), and has been subject to criticism. See, e.g., Orin S. Kerr, Computer Crime Law c. 2, § C at 59-60 (2d ed. 2006). Nevertheless, the Court finds the analogy to the common law useful.
Here, it will be appropriate for a factfinder to consider evidence of whether Romo understood herself to be authorized or what she considered to be the scope of her authorization. This subjective inquiry is appropriate where 18 U.S.C. § 2707 imposes civil liability only where there is a violation of § 2701 committed "with a knowing or intentional state of mind." 18 U.S.C.A. § 2707 (West 2012). Where here there is evidence as to Romo's own understanding of what she could access and what she could not, that evidence is appropriate for consideration by the factfinder to resolve these questions.
Romo additionally argues that Advanced's employee manual (the "Manual") "authorized Romo's access" of a co-worker's email. D. 21 at 21. The Court acknowledges the disagreement between the parties as to whether the Manual even applied to Romo. D. 26 at 18. However, even assuming that the Manual was in effect, its provisions do not aid Romo's argument. It is difficult to fathom how the minimal language regarding appropriate Internet use in the Manual could authorize a singular employee to search the email of another. D. 28 Exh. 8 at 35. To the extent that the Manual could be construed to permit Advanced, the employer, to monitor Cheng's Yahoo! email account, id. at 35 (providing that "Internet usage is subject to monitoring at any time" and that "[t]he company reserves the right to inspect files and any communications that an employee makes"), Romo was not acting at the behest of Advanced and had told nobody at Advanced that she was accessing her co-worker's email.
The portion of the employee manual potentially relevant to Romo's argument states:
Computer Usage
Advanced Radiology's computing resources are not to be used for personal and non-business related purposes, personal commercial purposes or for personal financial and other gain. It is the policy of Advanced Radiology that all computers in any of the company's facilities are for official company use only, and not for private use by any employees, their family or any guests. Given the criticality and confidential nature of the information contained on Advanced Radiology's computers and network, access to the computing resources must be restricted. . . .
Internet Usage
Access to the internet from Advanced Radiology's network is for business purposes only. Individual use of the internet, via Advanced Radiology's network, may be restricted due to inappropriate use. Specific instances include accessing objectionable web sites, sending or receiving email for private use and participating in either instant messaging or chat rooms. Internet usage is subject to monitoring at any time. All of an employee's online communications and internet visits made during business hours are not considered to be private. Therefore the employee should treat all of their activities as such. The company reserves the right to inspect files and any communications that an employee makes in order to ensure compliance with this policy.
D. 28 Exh. 8 at 35.
For these reasons, Romo is not entitled to summary judgment as to Count I as a matter of law.
B. Romo is Not Entitled to Summary Judgment as to the Privacy Claim Arising Under Mass. Gen. L. c. 214 § 1B
Massachusetts General Laws c. 214, § 1B provides that "[a] person shall have a right against unreasonable, substantial or serious interference with his privacy." "Section 1B protects people from 'disclosure of facts . . . that are of a highly personal or intimate nature when there exists no legitimate, countervailing interest.'" Dasey v. Anderson, 304 F.3d 148, 154 (1st Cir. 2002) (quoting Bratt v. Int'l Bus. Machs. Corp., 392 Mass. 508, 467 (1984)) (citations omitted). The statute protects against the "gathering and dissemination" of such information. Id. Romo, in her statement of undisputed material facts, states that she "printed at least ten emails between Cheng and [a non-management employee at Advanced]" and "supplied copies" of these emails to her husband John Romo, who then produced these emails in a lawsuit. D. 20 Exh. 4 ¶¶ 86-88. Romo's own description of the emails is that they contain "personal commentary." Id. ¶¶ 75-77. The Court notes that several of the emails, which are in the record, contain no content at all related to Advanced's business and are solely personal notes between Cheng and a non-management employee. See, e.g., D. 20 Exh. 2 at 177-181, 187-188. It appears here that while Cheng used his Yahoo! account for some business purposes, the emails that Romo accessed, reviewed, printed and gave to her husband had more to do with Cheng's alleged personal relationship with another non-management employee than it did with any dispute over the business.
Cheng has set forward a plausible claim that Romo, in gathering and disseminating these emails, interfered with Cheng's right to privacy. Because there are disputed issues of material fact as to whether Cheng had a reasonable expectation of privacy in his e-mail messages and whether Romo's actions in reading these messages and in providing them to her husband were an unreasonable, substantial or serious interference with plaintiffs' privacy, Romo is not entitled to summary judgment as to Count II.
As Romo has argued as to this privacy claim, Advanced's Internet use policy as articulated in the Manual may have some relevance to this claim at least as to whether Cheng had a reasonable expectation of privacy in these e-mail messages.
V. Conclusion
For the foregoing reasons, the Defendant's motion for summary judgment is DENIED.
So Ordered.
Denise J. Casper
United States District Judge