Unauthorized access to digital information is widespread, and lawsuits seeking damages for such activity are increasing in frequency. Traditional legal theories can be difficult to apply to new technologies. Who owns, possesses, or controls the data stored in an email account? What tort theories can be asserted when access to electronically stored information is wrongfully denied or transferred? Can damages be awarded in the absence of proof of actual misuse, or even proof of viewing one’s private information by a Defendant? The First District Court of Appeals recently confronted these issues in Eysoldt v. ProScan Imaging, 194 Ohio App. 3d 630, 2011-Ohio-2359, and held that such privacy breach cases are indeed actionable, and upheld an award of economic damages, even though there was no proof that the Defendant took ownership of, accessed, or used the Plaintiff’s account containing private information.
The Plaintiff opened an account with Go Daddy, an internet domain registrar and web hosting company. This account paid for the registration, hosting, management, and storage of various domain names, websites, and email services for the Plaintiff and two family members. Subsequently, the Plaintiff used his Go Daddy account to create a business-related website for a company he operated with partners. Eventually their business relationship soured and the Plaintiff refused to turn over control of the company website. Although the website was registered under the Plaintiff’s name, and the company representative could not provide the Plaintiff’s password, Go Daddy nevertheless transferred sole control of the entire account to the company, including not only the company website, but also the personal email accounts and domain names of the Plaintiff and of the Plaintiff’s family members. These emails included private information, such as communications with lawyers and doctors, bank records, and credit card numbers. Plaintiff and the company both contacted Go Daddy to resolve the matter, but to no avail. As a result, the Plaintiff and his family members filed suit for conversion and invasion of privacy against Go Daddy.
At common law, the general rule was that only tangible chattels could be converted. However, the Court observed the law has changed, and identifiable intangible property rights can also be converted. Hence, the Court upheld the conversion verdict in favor of not only the Plaintiff, but also the Plaintiff’s family members, who were denied access to their online information. The Court observed that “conversion is the wrongful exercise of dominion over property in exclusion of the owner’s right, or the withholding of property from the owner’s possession under a claim inconsistent with the owner’s rights.” Therefore, even as to the Plaintiff’s family members-who were neither the registrants for their accounts, nor the “owners” of their email service- the Court determined that the denial of access supported a jury finding that Go Daddy “converted the conditional and private email communications” that were contained in the Go Daddy account.
The Court also upheld an invasion of privacy claim, even though there was no evidence that Go Daddy ever opened any file or read any of the Plaintiffs’ emails. The Court characterized the claim as an invasion-of-seclusion type of privacy claim. Such a claim involves a “wrongful intrusion into one’s private activities in such a manner as to outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities.” Notably, the Plaintiffs were not required to prove actual access, but simply that there was an opportunity for an unauthorized party to access their information. In other words, the harm stems from the distress caused by the unauthorized access afforded to a third party that could have easily viewed the contents of the account.
It is possible that this case may be limited by its rather unusual facts, particularly Go Daddy’s unexplained breach of its own policies, and its failure to correct its errors even when requested to do so by all the affected parties. However, there is nothing in the opinion to suggest such a limitation. Therefore, this opinion may have implications in other cases in which control or access to data is improperly transferred or withheld, or in which data is improperly released. Such situations can occur in employment contexts, with social media, on insecure networks or shared computers, or in security breaches arising from hacking or lost or stolen data.
Courts continue to revise their application of the law to keep pace with changes in technology. As a result, intangible property rights are receiving greater legal protection. This opinion can be viewed as very plaintiff-oriented, and many Courts will struggle to apply tangible property legal concepts to the intangible realm of information and data. However, Eysoldt demonstrates that Courts have the ability to find fault and to craft meaningful remedies where there is a breach of privacy in online data.
Please feel free to contact a member of our Intellectual Property and Technology Practice Group.