Do alleged violations of the Computer Fraud and Abuse Act, Stored Communications Act, and Wiretap Act committed by a company’s Regional Manager make the company liable?
No, as long as the Regional Manager was not acting on behalf of the company.
On October 19, 2012, the United States Court of Appeals for the Fifth Circuit issued its ruling in Larson v. Hyperion Int’l Technologies, L.L.C., No. 12-50102 (5th Cir. 2012) in which it affirmed the district court’s granting of a Motion to Dismiss Larson’s Complaint. Larson (pro se) sued Hyperion alleging that Hyperion’s Regional Manager, Frank Stephenson, acquired his personal and private communications, including emails, medical records, and attorney-client communications which he then faxed to a third party, all without Larson’s knowledge or authorization, by using Hyperion’s fax machine and fax cover pages for the transmissions. Larson sued Hyperion for violating the Computer Fraud and Abuse Act, Stored Communications Act, and Wiretap Act, among other things. Following the district court’s dismissal, Larson appealed pro se.
The Fifth Circuit observed that the Computer Fraud and Abuse Act, Stored Communications Act, and Wiretap Act statutes all “expressly require intentional interception or publication of electronic communications” by the defendant. The Complaint in this case alleged that Stephenson intentionally violated each of these statutes but, because there was no showing that Stephenson was acting on behalf of Hyperion (the defendant), dismissal of those claims was proper.
Takeaway: If you are going to sue a company for violating the Computer Fraud and Abuse Act, Stored Communications Act, or Wiretap Act, you must also be prepared to plead and prove that the intentional actions of the individuals committing the wrongful acts were acting on behalf of the company.
If you have any questions about pursuing or defending claims under the CFAA or the ECPA, please feel free to contact me to discuss.
Shawn E. Tuma (469.635.1335 / stuma@brittontuma.com)
Related articles
- Does “Authorization” Matter? (secureconsulting.net)
- No Computer Fraud and Abuse Act violation for taking over former employee’s LinkedIn account (internetcases.com)
- Experts question guilty verdict for AT&T ‘hackers’ (networkworld.com)
An interesting ruling. So, technically, if the order to a person from management to violate the Computer Fraud and Abuse Act, Stored Communications Act, or Wiretap Act are passed verbally (i.e. without record), then (again, technically) the management COULD get away with such violations. In other words, if you’re gonna be a crook, don’t leave a paper trail!
(Sorry, it’s my Chicago upbringing, always trying to find a way to break the law legally.)
Seriously, I understand what you were saying. It would seem to make it very hard to prove corporate wrong-doing, short of a clear trail of orders (a somewhat stupid move on the hypothetical management’s part). This ruling would also seem to promote scapegoats. It will be interesting to see how this plays out in the near future.
Putting things in writing has always been an issue for companies (whether digital or traditional pencil and paper) because it always – ALWAYS – comes out in discovery. So yes, if you’re going to be a crook, you certainly don’t want to leave a paper trail though non-– crooks may find it advisable to not leave a paper trail also in certain cases. In a situation such as this, however, is not necessary to have a paper trail just to establish that the act was on behalf of the company as witness testimony can be useful for this as well. In other words, sue the individual and let them absolve themselves by rolling over on the company and testifying that it was the company’s directive, then add the company as a party to the lawsuit.