Va. court sanctions attorney for frivolous SCA claim

A Virginia circuit court recently denied a claim under the Stored Communications Act where plaintiff alleged an SCA violation regarding Facebook accounts where the information was publicly accessed. Womack v. Yeoman, 2011 Va. Cir. LEXIS 143.

The case concerned plaintiff's injuries sustained from a vehicle accident. The defense counsel used MySpace and Facebook to research the plaintiff and her family to learn more about the damages, looking over various postings. The plaintiff's counsel did not perform similar research but was assured the profiles were private (the court found this to be an unreasonably sufficient inquiry).

Plaintiff's counsel accused the defense of engaging in "unethical and illegal conduct by 'hacking' into" the accounts and that the act "violate[d] Plaintiff's and her families (sic) right to privacy under the [SCA]." The court found that all information obtained by the defense was publicly available and no violation of the SCA had occurred. Further, the defense was awarded attorneys' fees as sanctions for the claim.

But consider this: what settings are required to make something "private?" Here's a depiction of nearly every level to which access to one's Facebook information can be restricted:

To the left, you have the group of people that will be unavailable to access postings because they have neither Internet access or a Facebook account. Since both are required to access the majority of FB data, does this make it such an exclusive group that it is not public? Obviously not. But suppose the defense attorney was a "friend of a friend" of the plaintiff, and the settings then allowed him to obtain her postings. The plaintiff had not specifically approved the lawyer, but their relation gave him access. Or taking it to the extreme, is "private" only the information which the user shares with no one other than themselves? Possibly.

With regard to the SCA, the most restrictive option seems to be the right answer. That's because the SCA is only violated when a person logs into another's account (or an equivalent thereof). Thus, in Womack, the defense counsel would only be liable under the SCA if they had logged in as the plaintiff or one of her family members. If the attorney had "friended" the plaintiff without disclosing his involvement in the case, he may have violated rules of professional conduct but not the SCA.

Under that analysis, what information would be a giveaway that the SCA was violated?

• A status update or post that was restricted to only be viewable by the poster (I have no idea why one would do this, but a FB user can post a status update that is only viewable by them).
• A private message or wall post that was only viewable by the recipient or poster and consent would not have been given

Absent those situations, you should probably avoid claiming an SCA violation unless you have solid evidence that unauthorized access occurred (that a person logged in using another's credentials without permission).