Now more than ever employers must have a clear and concise policy regarding work email accounts. While it is commonly understood that an employee’s work email is property of the employer and subject to search at any time, it is important to inform employees of this. A recent case, Hoofnagle v. Smyth-Wythe Airport Commission out of the Western District of Virginia, demonstrates the importance of a clear policy on email accounts.
Hoofnagel was the manager of a small, local airport who was fired for his use of an email account he used both personally and for business to write an impassioned and volatile email to U.S. Senator Tim Kaine. The manager’s email came in the wake of the Newtown school shooting tragedy and vehemently defended gun rights. The airport did not have its own email system, or a written policy addressing the use of email and accompanying expectations. The manager created the email account when he started there and the airport published the address as an official point of contact. Further complicating the matter, the manager signed the email with his name and position. Shortly thereafter, the airport commission voted to terminate the manager and he filed suit. After the airport terminated the manager, it began going through his emails to check for airport business.
The court found in favor of the airport commission on the manager’s claims of violations of his First and Fourth Amendment rights. The court found that by signing his name and official position, the manager was speaking for the airport, which does not afford him the same freedom of speech as a private citizen. The court further found that even if he were speaking as a private citizen his aggressive language in his email raised serious concerns about his judgment and affected his employer’s relationship with a third party, which made termination appropriate. The court also found the limited nature of the email search was appropriate and did not violate the manager’s Fourth Amendment rights.
The court, however, found that the manager had a cause of action under the Stored Communications Act, 18 U.S.C. §§ 2701-2712 (“SCA”). The SCA establishes civil and criminal liability for unauthorized access to a facility through which an electronic communication service is provided. The court found that by accessing the manager’s emails without his permission the airport may have violated the SCA because those emails are stored on the internet service provider’s servers, not the airport’s. The court went further to state an employer may be granted reasonable authorization to an email account, but if it exceeds that authorization it can be liable under the SCA. It did not help that the airport commission changed the password on the account, denying the manager further access to an account he had set up. If found liable under the SCA, the airport could be required to pay punitive damages and attorney’s fees, even if there are no proven actual damages.
This case highlights how important it is for all employers to have clearly defined email policies, regardless of whether it provides employees with an email account or not. It is also important for employers to stay within the bounds of their policy. In this situation, if the employer had a written policy defining the scope of its access to the manager’s email account, it may have avoided SCA issues entirely. The court may eventually find that the airport did not violate the SCA, but it won’t be until after an expensive and possibly lengthy trial, showing the economic importance of a proactive policy versus a reactive defense.