Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
CAN-SPAM Act Suit Requires No Damage Mitigation; Company Consent To Computer Search Condoned
April 24, 2007
CAN-SPAM ACT SUIT REQUIRES NO DAMAGE MITIGATIONAn e-mail recipient is not required to “mitigate” damages caused by a violation of the CAN-SPAM act in order to bring a suit for statutory damages under the Act, according to a recent holding by a federal court in California. That court reasoned that because the object the CAN-SPAM act is to punish the wrongdoer, mitigation is not relevant.
The CAN-SPAM Act (and you have to admit, it’s a pretty clever title considering Congress thought of it) allows ISPs to sue alleged spammers for CAN-SPAM violations and “to recover damages in an amount equal to the greater of ... actual monetary loss incurred by the [ISP] as a result of such violation' or statutory damages." The fact that ISPs can recover statutory damages – even when the statutory damages exceed actual damages – demonstrates that “Congress was more concerned with the spammer being appropriately punished than with the plaintiff being made whole," according to the court.
The court also found it significant that the CAN-SPAM Act grants a court discretion to increase the amount of statutory damages up to three-fold if the court finds aggravating factors. Again, the court’s discretion to increase the damage award depends on the spammer’s conduct, not the ISP’s damage. This further demonstrates that Congress intended to focuse on the wrongdoer and not the victim.
Having found that the CAN-SPAM Act's statutory damage provisions were meant to punish, the court determined that whether a plaintiff had mitigated damages was irrelevant.
The court concluded that "the doctrine of mitigation of damages cannot logically apply to the Court's decision regarding any award of statutory damages ... under the CAN-SPAM Act."
If in fact Congress intended to eliminate SPAM, the court’s ruling is probably correct. The thought of a congressman promising to “get tough on SPAM”, however, still sounds like a Monty Python skit!
COMPANY CONSENT TO COMPUTER SEARCH CONDONED
Can a company consent to an FBI search of a computer hard drive used by one of its executives? Does the FBI violate the executive’s Fourth Amendment rights by executing the search? The answers to the two questions are “yes” and “no”, according to the United States Court of Appeals for the Ninth Circuit.
This was actually the second time the appellate court reviewed this case. The first time it looked at the case, it decided that the company's Internet monitoring policy deprived the executive of a reasonable expectation of privacy in the computer. On rehearing, however, the court shifted its focus to the company's consent to the FBI search.
Acting on a tip that the executive was involved with child pornography, an FBI agent contacted an employee in the company's Internet Technology department and directed him to make a copy of the hard drive on the computer in the defendant's office. The IT employee contacted the company’s CFO, who provided a door key that enabled the IT administrator and a subordinate to get into the defendant's locked office after hours. They copied the defendant's hard drive and turned it over to the FBI.
The hard drive contained numerous images of child pornography. As a result, the executive was convicted of receiving obscene material in violation of 18 U.S.C. §1462. The executive challenged the conviction, on the ground that the evidence was obtained in an unconstitutional search. The question then was the extent to which the executive had a reasonable expectation of privacy in his information maintained on a workplace computer, and whether the employer could validly consent to a search.
In addressing the issue of an employee’s expectation of privacy in a workplace computer, courts across the country have reached different conclusions. For some courts, the mere fact that the employer posts a computer policy that limits the employee’s privacy is enough to defeat any “reasonable” expectation of privacy. For other courts, however, employees retain a privacy right in personal information, even if the employer’s policy reserves the right to monitor.
The Ninth Circuit struggled with the somewhat twisted facts in this case. While it felt that the employee’s right to privacy was limited by the computer policy, it had a more difficult time approving the intrusion into the locked office, noting that the US Supreme Court has recognized that employees have a privacy interest in their individual offices.
But on rehearing, the Ninth Circuit court determined that, ultimately, the company, as a “third party”, had the right to consent to the search. Citing US Supreme Court precedent that recognized the employer’s right to consent to a search of a shared workspace, the Ninth Circuit ruled that the presence of personal information on the computer did not deprive the company of the right to consent to the search.
The Ninth Circuit court was swayed by the evidence that: (1) the company's IT department had complete administrative access to every computer, (2) they used a firewall to routinely monitor employees' Internet activity, and (3) employees were apprised of the company's monitoring policy when they were hired.
Under these circumstances, the court concluded that the company acted within its rights when it authorized the search.
The case once again points out the need for employers to draft thorough IT policies that clearly spell out the rights of the company with respect to the company computer system.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.