NYLJ.COM |
White-Collar Crime | MONDAY, SEPTEMBER 26, 2016 | S3
electronic storage was expensive and rarely used. As a result, certain of its provisions draw distinctions that modern technology has rendered arbitrary, including the follow- ing examples:
• The SCA provides emails older than 180 days less protection, on the theory that most systems in 1986 only kept cop- ies of messages for a few months, and older data was akin to a “business record maintained by a third party.”
• The SCA distinguishes emails held in “electronic storage” under §2703(a) from those held by a “remote computing service,” under §2703(b). As a result, many courts have interpreted this to mean that opened emails are no longer in “electronic storage” and thus receive less protection under §2703(b) of the SCA (but see Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), holding that emails were in “electronic storage”
Many people expect that the vast amounts of personal and financial data they maintain
in cloud-based storage will be kept private. Most do not draw distinctions based on where “the cloud” happens to reside, how old their email messages are,
or whether an email has been opened.
regardless of whether they had been accessed).
• Because §2703(b) of the SCA only refers to “contents” of an electronic communi- cation, for an email older than 180 days, there is less protection for its content than for its transaction or “header” information (i.e., To, From, Date), which requires a 2703(d) court order (or war- rant) for production.
These distinctions make little sense in today’s world of remote email services, cloud-based storage and widespread mobile technology. Many people expect that the vast amounts of personal and financial data they maintain in cloud-based storage will be kept private. Most do not draw distinctions based on where “the cloud” happens to reside, how old their email messages are, or whether an email has been opened.
Indeed, the Justice Department has agreed that “there is no principled basis” to treat email differently based on whether it is 180 days old. And in a concurring opinion in the Microsoft case, Judge Gerard E. Lynch of the Second Circuit implored Congress to revisit the statute in order to better bal- ance privacy interests with law enforcement needs in the age of “the cloud,” when remote service providers can move data in and out of the United States at “lightning speed” to serve their business needs, providing much greater privacy to those customers
whose data happens to get stored on serv- ers located abroad.
The Congressional Response
In early May 2016, the Email Privacy Act (H.R. 699) was unanimously passed by the House of Representatives with overwhelming bi-partisan support. A version of H.R. 699, the Electronic Communications Privacy Act Amendments Act of 2015 (S. 356), is currently before the Senate and also expected to pass. Both bills strive to bring the ECPA up to date with the digital age and to create more robust privacy protections for digital information. For example, the proposals would:
• remove the 180-day and “electronic stor- age” versus “remote computing service” distinctions;
• require the government to obtain a war- rant to acquire the contents of stored communications from an ISP, essentially codifying the Sixth Circuit’s decision in Warshak; and
• require that the government notify the individual, albeit post-disclosure, that his or her information was requested and received by the government (allow- ing the government to request delayed notification).
SEC’s Objections to ECPA Amendments
The SEC, as a civil enforcement agency, does not have the power to obtain search warrants. As such, the SEC and other civil law enforcement agencies have taken issue with the proposed warrant requirement. Here are some of the reasons:
• According to SEC Enforcement Director Andrew Ceresney, who was writing before H.R. 699 passed, “if [H.R. 699] becomes law without modifications, the SEC and other civil law enforcement agencies would be denied the ability to obtain critical evidence, including potentially inculpatory electronic communications from ISPs, even in instances where a subscriber deleted his emails, related hardware was lost or damaged, or the subscriber fled to another jurisdiction.” He also noted that personal emails tend to show evidence of intent, a factor dif- ficult to prove otherwise.
• In a letter to the Senate Judiciary Com- mittee and in an Op-Ed piece in the New York Times, the SEC advocated for changes, pointing out that civil law enforcement agencies would not be able to meet the war- rant requirement of the new bill because they do not have criminal law enforcement powers. As a consequence, the Commis- sion would be unable to obtain evidence in cases like insider trading and Ponzi schemes, for example, if the individual being investigated either deletes or oth- erwise fails to turn over electronic records.
• The SEC has appealed to the legislature to consider alternatives (appeals that did not appear to move the House). Those alternatives include a provision that would allow the SEC to seek authority from a court to obtain emails under a standard akin to probable cause. It also expressed
willingness to provide individual sub- scribers with notice and an opportunity to object before the ISP produces the data.
Second Circuit Holds That SCA Does Not Apply Extraterritorially
This summer, the U.S. Court of Appeals for the Second Circuit, in Microsoft Corp. v. United States, held that the SCA does not apply extraterritorially and that allowing the government to execute a warrant for data stored by a U.S. ISP on a server located in a foreign country would be an impermissible extraterritorial application of the statute. As a result of the Microsoft decision, an addi- tional distinction has arisen—the physical location of the server used to store the data.
Takeaways
• The ECPA amendments will eliminate the SEC’s ability to subpoena personal email communications from ISPs without the consent of the subscriber. This may not affect a typical investigation where the SEC subpoenas a company for mes- sages involving employees using business email accounts. The SEC will likely have access to the same relevant communica- tions (assuming the employee does not use personal email accounts for electronic communications, possibly in violation of company email policies).
• Where an investigation does involve per- sonal email, the SEC likely will have to seek electronic data directly from the individual
or with the individual’s consent. In civil investigations, individuals may find it eas- ier to shield personal emails by asserting the Fifth Amendment “act of production” doctrine, or simply by refusing to comply with a request.
• Civil and criminal law enforcement may cooperate earlier in investigations. In investigations where personal commu- nications may be particularly relevant, like insider trading, microcap fraud, or offering frauds, SEC staff may refer matters to the Justice Department.
• The Microsoft decision may incentivize individuals and companies to store data abroad. Because offshore content is out- side the reach of a warrant under Microsoft, and cannot be subpoenaed under War- shak, the government would be forced to seek foreign cooperation to obtain data offshore, using the slower MLAT process. • Emails maintained in a non-U.S. cloud location (even a location unknown to the subscriber) that has strong data protec- tion laws may be subject to greater privacy protections than emails kept in a secure, domestic location.
• In light of the Microsoft decision, the Senate could take the opportunity to debate the implications of the proposed ECPA amendments and consider whether extraterritorial reach of the government’s power to obtain digital information stored abroad is appropriate in the age of cloud storage. The SEC may make further efforts to advocate revisions, especially in the wake of Microsoft.
marcumllp.com/nylj