Perhaps the most common call I get from prospective clients involves a complaint that someone, usually a spouse in a divorce or child custody situation, or a rogue employee about to separate from his employer, has accessed the caller’s email account and read the caller’s emails without authorization. In plain language, someone has “hacked” their email account. Unfortunately, this type of cyber privacy violation is becoming extremely common. With the growth in popularity of texting on mobile devices, interception of mobile communications has also become extremely common place, and is a major piece of my practice as well.
Luckily, the law has many powerful remedies for the unauthorized interception of electronic communications as I will describe below. However, to take advantage of these remedies you must act fast, usually within 180 days if the intrusion is to your email account. The critical evidence that you and your attorney need to prove your case is usually stored by the email service providers for only six months (or less in some circumstances). You may have even less time to act to preserve evidence in the case of intrusions to mobile communications. Do not hesitate to contact an attorney who is knowledgeable in the field of electronic privacy violations as soon as you have reason to believe you have been hacked.
Both federal and state statutes protect email and mobile communications from unauthorized interception and disclosure. Besides making these privacy violations a crime that can be prosecuted by state and federal authorities, many of these statutes also include a private right of action allowing victims whose electronic communications (or data) have been hacked to sue the party responsible for the interception, and in many cases to collect potentially large liquidated and punitive damage awards.
For example, the federal Electronic Communications Privacy Act (“ECPA”, 18 U.S.C. § 2510-22) makes it a crime to intercept various types of communications including email and smartphone texts, chats, iMessages, etc. (For a complete discussion of this Act see https://it.ojp.gov/privacyliberty/authorities/statutes/1285).
Civil damages under ECPA start at $10,000, but can grow if the violation persists over time. A liquidated damage award of $100 per day can be imposed if it exceeds the $10,000 minimum. ECPA also awards attorney fees and costs involved with litigation. In South Carolina, our state statute (SC Code of Laws §17-30-135) that mirrors the ECPA’s private right of action imposes even larger liquidated damages of “five hundred dollars a day for each day of violation or twenty-five thousand dollars, whichever is greater”, and also awards punitive damages and a “reasonable attorney’s fee and other litigation costs reasonably incurred.”
Another federal statute, the Stored Communications Act (“SCA”, 18 U.S.C. §§ 2701-12.) protects the contents of files, including emails, texts, iMessages, and etc., stored by service providers, and imposes a $1000 per occurrence liquidated damage for unauthorized access. Punitive damages are also assumed in this statute. The Fourth Circuit has interpreted “per occurrence” to be per email. This statute can usually be invoked in any circumstance in which a victim’s online accounts are accessed without authorization and the contents of files stored there are read or copied. Increasingly, I have seen this statute come into play with privacy violations involving online storage accounts such as Apple’s iCloud, or data storage accounts such as Dropbox, or social media accounts such as Facebook.
Another federal statute frequently used to provide civil remedies for cyber privacy violations is the Computer Fraud and Abuse Act (“CFAA”, 18 USC §1030). CFAA imposes a range of criminal and civil penalties for unauthorized access to “protected computers”. In reality any computer (including a smartphone) involved in interstate commerce could be considered an “protected computer” under CFAA. Therefore, CFAA has been used in many situations to fashion a remedy where a cyber-privacy violation doesn’t fit the scenarios addressed in SCA or ECPA.
You must act quickly to preserve evidence and have your best chances of receiving an appropriate remedy.