Court Affirms IT Administrator’s Access Did Not Violate Regulations

Should an IT administrator’s access and preservation of emails be prohibited when acquisition deals fall apart? Doug Austin of eDiscovery Today asks this question in his case brief of Abu v. Dickson. It explored whether IT access to email accounts directed by a defendant during litigation violated the Computer Fraud and Abuse Act (CFAA) or the Stored Communications Act (SCA).

The case arose after the defendant sold a company asset to the plaintiff, but relations soured, leading to efforts to unwind the deal. The IT administrator, John Massey, who managed the email accounts, was directed by the defendant to retrieve emails for litigation using his credentials as the Microsoft 365 tenant administrator. The plaintiff later accused the defendant of unauthorized access, violating CFAA and SCA.

The Court focused on whether Massey intentionally accessed the emails without authorization under CFAA. It was found that Massey, as the IT administrator authorized to manage the email system, did not violate the Act since his actions were within his established permissions. The Court also considered whether Massey exceeded his authorization, concluding that he did not intentionally exceed his authorized access under CFAA without explicit notice that his access was unauthorized.

Additionally, the Court dismissed the plaintiff’s argument that Massey should have known his role as IT administrator ended after a mass termination email was allegedly sent. The Court noted the argument was forfeited as it was not raised earlier and that continued correspondence between Massey and Moore about shutting down the accounts indicated that Massey’s role had not ended. Therefore, the Court affirmed the lower court’s ruling in favor of the defendants, finding no violation of CFAA or SCA.