A private investigator in a business dispute case logged into an employee’s personal Gmail account using credentials he found on the client’s shared work computer. The employee had used the same password for both accounts. The PI pulled hundreds of emails, handed them to the attorney, and everyone felt good about the catch.

Then the employee’s attorney filed a federal complaint under 18 U.S.C. § 2701.

The Stored Communications Act is one of the most commonly violated federal statutes in self-help digital forensics — and it’s violated precisely because most people doing the investigation don’t know it exists. If you’re accessing stored electronic communications on behalf of a client, or advising a client who wants to do it themselves, you need to understand this law before anyone touches a keyboard.

What the Stored Communications Act Actually Says

The SCA, codified at 18 U.S.C. §§ 2701-2712, was passed in 1986 as part of the Electronic Communications Privacy Act. Congress wrote it to extend Fourth Amendment-like protections to electronic communications stored with third-party providers — at a time when nobody was sure the Fourth Amendment itself applied.

The core prohibition is in § 2701(a): it’s a federal crime to intentionally access without authorization a facility through which electronic communication service is provided, or to intentionally exceed an authorization to access that facility, and thereby obtain, alter, or prevent authorized access to a wire or electronic communication in electronic storage.

That’s a lot of words. The practical version: if you access someone else’s email account, cloud storage, voicemail, or similar stored communications service without their permission — or without a lawful order requiring the provider to disclose it — you may have committed a federal crime.

The statute also creates a private right of action under § 2707. Victims can sue for actual damages (minimum $1,000 per violation regardless of actual damages), punitive damages if the violation was willful or intentional, and attorney’s fees. That $1,000 minimum adds up fast when you’ve pulled 500 emails.

The Authorization Problem

The most contested question in SCA cases is what counts as “authorization.” Courts have wrestled with this since the statute was passed, and the answers aren’t always intuitive.

Employer-Employee Situations

Employers often believe they have blanket authorization to access anything on company systems. That’s largely true — but only for systems the company actually provides and controls. A company policy saying “we reserve the right to monitor company devices” doesn’t give an employer authorization to access an employee’s personal Gmail account, even if the employee accessed it from a work computer.

The courts have generally drawn the line at the facility providing the service. Company email server? Company controls it, company has authorization. Personal email hosted by Google? The company is not the facility, and accessing it requires either the employee’s consent or legal process.

This distinction matters enormously in trade secret cases where employers want to investigate departing employees. Accessing a departing employee’s personal cloud storage — even to look for company files they may have stolen — can expose the company to SCA liability on top of whatever claim it had against the employee.

The “Shared Access” Trap

Many self-help forensics situations involve some claim of shared access. Spouses share devices. Business partners share accounts. Family members know each other’s passwords.

Courts have been inconsistent here, but the trend is toward a narrow view of authorization. Knowing someone’s password is not the same as being authorized by them to access their account. Using a password without the account holder’s knowledge or consent generally doesn’t satisfy the authorization requirement — even if they previously shared the password voluntarily.

The one clear safe harbor is actual consent. If the account holder gives you permission to access their account — ideally in writing — you have authorization. Without that, you’re taking a legal risk.

When the Account Holder Is Your Client

This is where it gets complicated for forensic examiners. If your client owns an account, they can consent to your access. Simple.

But what if your client and the account holder are adverse parties? What if your client is a parent and the account belongs to their minor child? What if your client believes they have joint ownership of an account because it’s on a shared device?

Parent-child cases have produced split decisions. Some courts have held that parents have authorization to access minor children’s accounts based on parental authority. Others have held that once a child creates an account with their own credentials, parental authority doesn’t extend to it. The minor’s age, the nature of the account, and the state law governing parental rights all factor in.

Joint account situations — where both parties legitimately have access credentials — generally do allow access by either party. But “joint account” is narrower than most people think. An account one spouse opened in their own name that the other spouse happens to know the password to is not a joint account.

Provider Compliance: What Cloud Services Will and Won’t Do

The SCA also governs what providers can and must disclose to government and private parties.

Under § 2702, providers generally can’t voluntarily disclose the contents of stored communications to third parties. There are exceptions — for example, with the lawful consent of the account holder or the intended recipient, or when disclosure is necessary to protect the rights or property of the provider.

Under § 2703, the government can compel disclosure through:

Private parties in civil litigation have a harder path. Most providers won’t comply with civil subpoenas for account content, citing SCA § 2702’s prohibition on voluntary disclosure. The account holder’s consent is the most reliable path. A court order combined with the account holder’s inability to object has worked in some jurisdictions, but this is litigated case by case.

Civil vs. Criminal: Different Stakes, Same Statute

The SCA operates in both civil and criminal contexts, but the practical stakes differ.

In criminal cases, SCA violations by law enforcement result in suppression of the evidence in some circuits (though the SCA itself doesn’t mandate suppression as a remedy — it’s a constitutional question running alongside the SCA claim). More commonly, criminal SCA violations by private parties — like the PI in the opening example — result in federal prosecution.

In civil cases, the private right of action under § 2707 is the primary enforcement mechanism. Plaintiffs have brought SCA claims in employment disputes, divorce proceedings, business partner conflicts, and stalking cases. The $1,000 statutory minimum per violation makes these cases financially attractive for plaintiffs’ counsel even when actual damages are hard to quantify.

The civil SCA claim also survives independently of the underlying dispute. Even if your client wins the main case, a successful SCA counterclaim by the opposing party can result in a damages award that wipes out the victory.

Practical Guidelines for Digital Forensics Practitioners

If you’re doing forensic work in a civil matter and the evidence lives in the cloud, here’s how to stay on the right side of the SCA.

Get explicit written consent from the account holder before accessing any third-party-hosted account. This applies even when the account holder is your client and the account “belongs” to the family or the business. Document the scope of consent — which account, what data, for what purpose.

Don’t rely on password knowledge as authorization. If a client hands you a list of their spouse’s passwords “because we always shared everything,” that’s not SCA-compliant authorization. Get proper legal process or the opposing party’s written consent.

Use legal process when you can. A properly issued subpoena with supporting court documentation creates a paper trail that protects both you and your client. Yes, it takes longer. Yes, it tips off the opposing party. The alternative is federal liability.

Document your authorization before you access anything. The consent letter, the court order, the subpoena — whatever your legal basis is, have it in hand before you log in or run any acquisition tool.

Know what you’re accessing. Remote email servers, cloud storage, voicemail systems — these are all covered. A local copy of a file that was downloaded to a device you have authorization to examine may be outside the SCA’s scope. Know the difference.

For context on how cloud evidence is handled forensically once you have lawful access, see our guide to [chain of custody for cloud-only evidence](/chain-of-custody-cloud-evidence/).

FAQ

Does the SCA apply to personal accounts accessed on a company device?

Yes. The SCA covers the facility providing the service, not the device used to access it. If an employee uses their personal Gmail on a company laptop, the Gmail account is still covered by the SCA. The company’s device ownership doesn’t create authorization to access the personal account. This is a common and expensive mistake in corporate investigations.

Can I access my spouse’s email if we share a family plan or joint account with the same provider?

Sharing a provider (like a family Google account) doesn’t necessarily mean you have authorization to access each individual account. Each account has its own authorization — the fact that you both use Gmail doesn’t mean you can access each other’s inboxes. If you’re on a truly joint account with shared credentials where both parties intended joint access, courts have generally found authorization exists. But separate accounts, even with the same provider, require separate authorization.

What’s the penalty for a first-time SCA violation?

Under § 2701(b), a first offense carries up to one year in prison if committed for commercial advantage, malicious destruction or damage, or private commercial gain, or up to six months if not. Subsequent violations double those maximums. On the civil side, § 2707 allows actual damages with a $1,000 minimum per violation, plus punitive damages and attorney’s fees for willful violations. Courts have awarded substantial punitive damages in cases involving systematic unauthorized access.

Does the SCA apply to text messages stored by a carrier?

Yes. SMS and MMS messages stored on carrier servers are stored communications covered by the SCA. Accessing them without authorization or legal process violates the statute. Interestingly, text messages stored only on a device you have authorization to examine (not on carrier servers) fall outside the SCA’s facility-based framework — though other laws and evidentiary rules still apply.

How does the SCA interact with state wiretapping laws?

The SCA and federal wiretap laws (18 U.S.C. § 2511) operate in parallel but cover different conduct. The wiretap statute covers interception of communications in real time. The SCA covers access to stored communications. Many states have their own equivalents to both, and some state statutes are stricter than federal law. California’s Invasion of Privacy Act (Penal Code §§ 630-637.9) is one of the most stringent in the country and often applies alongside the SCA in California-based investigations.