In Abu v. Dickson, No. 23-1573 (6th Cir. July 8, 2024), the Sixth Circuit Court of Appeals affirmed the ruling that access and preservation of emails for potential buyers by the IT administrator of the defendant did not violate the Computer Fraud and Abuse Act (CFAA) or the Stored Communications Act (SCA).

Case Discussion and Circuit Court Ruling

In January 2019, the defendant agreed to sell one of his company’s assets to the plaintiff, a California corporation owned by Ryan Moore. After closing the deal, John Massey, the IT administrator who took care of other online accounts for the defendant affiliates remained the account administrator for the relevant email services of the plaintiff’s company and the company to be acquired. The plaintiff employees received @theepicureangroup.com email accounts through the Microsoft 365 platform. During this time, Moore emailed Massey to create new accounts for new hires, to cancel accounts for discharged employees, and to reset passwords.

By July of that year, the relationship between the two entities broke down, prompting an effort to unwind the deal and leading eventually to litigation. During that time, the defendant asked Massey to retrieve and preserve emails between plaintiff’s email address associated with the defendant’s account, rmoore@theepicureangroup.com, and various other individuals for the litigation. Massey proceeded with the access and preservation of emails using the Microsoft 365 search feature, using his credentials as the Microsoft 365 tenant account administrator. The defendant affiliates turned over the emails to the plaintiff during state court discovery. As the Sixth Circuit noted: “Relations between the one-time deal partners went from bad to worse”, leading to the filing of this lawsuit by the plaintiff, alleging that the defendants violated the CFAA and SCA by accessing Moore’s emails. Each side moved for summary judgment. The district court ruled as a matter of law for the defendant affiliates.

Noting that the CFAA “covers only ‘intentional[ ]’ violations—intentional efforts to act without authorization or to exceed authorization”, the Sixth Circuit stated: “One last preliminary point. The Conlan company filed this claim against Dickson and his accounting firm. In the court below and in this court, the parties have focused on the intent of Massey, the employee who ‘accessed’ the email accounts…Hence we, like the district court, focus on Massey’s actions and Massey’s intent in accessing the emails.”

In doing so, the Sixth Circuit addressed this question: “Did Massey ‘intentionally’ access Moore’s emails ‘without authorization’ under the Act?”, by stating: “No. Massey was the consummate computer insider: the IT administrator. He managed the Epicurean Group’s email accounts, which gave him undisputed authorization to add and remove user accounts and change passwords. Logging in via his own credentials gave him access to users’ emails. The Act’s prohibition on intentionally obtaining access ‘without authorization’ thus does not apply to Massey’s conduct.”

The Sixth Circuit also addressed this question: “Did Massey intentionally exceed his authorization under the Act?” In a lengthy discussion of this question, the Court said this: “An employee, like Massey, does not intentionally exceed authorized access when he deliberately accesses a protected system but lacks notice that his access is unauthorized. The Act’s computer trespassing provision penalizes only one who ‘intentionally … exceeds authorized access.’…This feature of “exceeds”—that it refers to an entitlement, justification, or allowance—goes a long way to resolving this case. Id. An insider does not intentionally do more than is justified if he has no reason to know that his conduct is off-limits. Intentionally exceeding authorization requires, at a minimum, that the insider purposefully access an area of a computer and know that it is forbidden…This description of the mental state requirement honors the language that Congress chose. Congress opted to pair ‘intentionally’ with ‘exceeds’ rather than ‘accesses.’”

Continuing, the Court said: “Gauged by these requirements, the Dickson affiliates are entitled to summary judgment, as the district court correctly held. The Conlan company has not pointed to any evidence in the record that, if proven, would show that Massey was on notice that accessing Moore’s emails would violate any limitations on authorization—whether code-based restrictions, agency principles, computer norms, company policies, or contracts…The record demonstrates that Massey did not intentionally bypass any code-based barriers. Massey attested in his affidavit and deposition testimony that he accessed the emails by entering his regular administrator credentials, namely his pre-established computer permissions.”

The Court also addressed the plaintiff’s argument that Massey should have known that he was no longer authorized to serve as the IT administrator after Moore sent a mass termination email to all employees, stating: “Two problems cloud this argument. One is that the Conlan company forfeited it by failing to mention it in the summary judgment briefing below or in the briefing here…But even if Moore did send such an email, Conlan admits that Massey did not have an employment agreement with the Conlan company, and, even after the alleged email, Moore and Massey continued to correspond regarding the pending shut-down of the email accounts. Even if there were a mass termination email, it thus would not show that Moore ended Massey’s role as the IT administrator, as their continuing correspondence shows.” So, the Court affirmed the ruling that access and preservation of emails for potential buyers by the IT administrator of the defendant did not violate the CFAA or the SCA.

So, what do you think? Should access and preservation of emails be prohibited by an IT administrator when acquisition deals sour? Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant, an Affinity partner of eDiscovery Today. Hat tip to Matthew Linehan for the case suggestion!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.