An Illinois blogger was injured in a car accident, and while in the hospital, her employer obtained access to her personal Facebook and Twitter accounts and used them to promote the employer’s website (she had a large personal following). When she became aware this was happening, she asked her employer to stop. They failed to do so, requiring her to change her passwords. In her lawsuit, she alleged (among other arguments) that her employer had violated the Stored Communications Act (SCA).
The evidence showed hat the employer did, in fact, access the accounts, accept multiple friend requests, and post 17 tweets. Therefore, the defendants “exceeded their authority in obtaining access” to the accounts under the statute. The question here is whether she is entitled to damages.
The SCA allows an award for “actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000.” The court, however, found (as others have) that actual damages are required in order to get the minimum statutory damages. (The court was deciding motions for summary judgment; damages in this case will be examined in discovery.)
What do you think about this rule? It just seems strange to have a “privacy statute” that would allow unauthorized access of a Facebook, e-mail, or other account with only a remedy when actual damages exist. If someone only read all of the messages, a victim may get nothing, but if $1 worth of damage is done, they are awarded $1,000.