As data storage moves from equipment controlled by its authors into the “cloud” — storage on equipment controlled by third parties — there is an increased risk that unauthorized third parties will access this data and use it for nefarious purposes. The Stored Communications Act (“SCA”, 18 U.S.C. § 2701 et seq.) is widely thought to provide protection from disclosure for emails and other private data that are in such electronic storage. However, a less-known loophole in the SCA can permit stored information to be accessed without the author’s permission and then divulged to competitors, to adversaries, to strangers, or to the general public, without liability under the SCA.
The SCA provides that any person who intentionally accesses stored electronic communications without authorization or beyond the scope of his authorization is subject to civil and criminal penalties. 18 U.S.C. § 2701(a), (b). However, there are two important exceptions to this protection:
Even if an author of a communication has not authorized a third party to access that communication, the SCA provides that this unauthorized third party is immune from liability if he/she was authorized to gain access by the provider of the electronic communications service –such as the ISP or the business the operates the network. The SCA further provides that an unauthorized third party is also immune if he/she has been given permission to access the communication by a user of the service on which the communication is stored — such as a member of a private website, such as a MySpace page.
This means that even if the author has not consented for anyone except for the recipients to access his/her private emails, a lot of people could still be looking at them, copying them and doing who knows whatelse to them — with SCA-immunity.
That sounds bad enough. However, the next section in the SCA — Section 2702 — opens the door to unauthorized disclosure even wider.