Employers often assume they are empowered to exercise broad discretion when investigating employee computer misconduct, especially when employees are suspected of using company emails or computers to engage in the misconduct. However, employers should be aware of potential liability that could arise from their digital investigations and monitoring of employee computer and email use.
A recent case from the Georgia Court of Appeals illustrates the potential pitfalls of an overzealous investigation. The Court’s ruling in Patel v. Duke Hospitality, LLC. et. al. demonstrates that employers should think twice before they go digging for information in their employees’ personal emails, even if an employee inadvertently provides access to a personal email account by accessing it from a company computer, as this could open the employer up to liability.
After Duke Hospitality, a hotel management company, fired Dhansukh T. Patel, Patel filed a lawsuit against Duke and its managing member and Vice President Joseph Tyler Collum. Patel claimed that Collum, on behalf of Duke, illegally accessed his personal email account before taking and/or deleting data from that account. Though Collum claimed he accessed Patel’s work computer, work email, and personal email only to suspend Patel’s work email after the termination of his employment, Patel provided evidence that Collum accessed the personal email before his termination. When Collum was on Patel’s work computer, he found that Patel had sent emails with recordings of phone calls about company business to his personal email and other emails unaffiliated with Duke. Collum forwarded these recordings to himself, deleted them from the “Sent” folder on the work email account, and changed the login information for both Patel’s work and personal emails to prevent Patel from accessing the accounts.
As a result, Patel filed a lawsuit against Duke and Collum, alleging that Collum, on behalf of Duke, had committed numerous violations of the Georgia Computer Systems Protection Act, O.C.G.A. § 16-9-90 et. seq. (“GCSPA”).
The GCSPA regulates computer misconduct and imposes potential fines and/or imprisonment for people “convicted of the crime of computer theft, computer trespass, computer invasion of privacy, or computer forgery.” The GCSPA also provides for a civil cause of action for violations of the statute.
Patel asserted that Duke had committed GCSPA violations such as computer theft, computer trespass, computer invasion of privacy, computer forgery, invasion of privacy, and conversion. Duke and Collum filed a motion for summary judgment, arguing that (a) Patel’s receipt of Duke’s Employee Handbook served as a waiver of any computer privacy expectations, (b) Patel’s conversion claim was invalid because access to Patel’s personal email had been returned, and (c) Patel’s request for injunctive relief was moot since his email account was preserved and Duke no longer had access to it.
The trial court granted Duke’s motion for summary judgment, but Patel appealed, arguing that there remained disputed issues of material fact, making summary judgment improper. The Court of Appeals agreed with Patel, reversing the grant of summary judgment. The Court held that factual questions precluded summary judgment, including Patel denying his receipt and acknowledgement of the employee handbook, chronological inconsistencies related to the handbook, and disagreements about whether Patel’s personal email access had been fully restored and the extent to which the contents of the personal email account were changed. 
This ruling is significant because it sends a clear message to Duke — and other employers in Georgia — that companies, if challenged, will have to legally justify, through evidence of consent, their activities on employee’s personal emails and devices, or prove their legal right to engage in such activities. Thus, this ruling demonstrates that there could be significant consequences to an overzealous investigation of computer misconduct by an employee when that investigation is not supported by the appropriate company policies (and the company must also be able to establish the employee agreed to those policies).
Employers risk opening themselves up to liability by accessing or altering information on employees’ personal emails and devices without receiving proper authorization. This could include financial and legal consequences for employers whose investigations are challenged by employees or former employees.
To ensure your employee investigation and methods of accessing personal data of employees are legally sound or get advice about GCSPA-related matters, please do not hesitate to reach out to us. In the meantime, we will continue to track developments related to the Georgia Computer Systems Protection Act and help keep you updated on how you can steer clear of conduct that could potentially lead to liability. 
 Patel v. Duke Hospitality, LLC. et. al, A22A0277, 2022 WL 2313699 (Ga. App. June 28, 2022).
 Patel v. Duke Hospitality, LLC. et. al.
 Thank you to Hannah Perron, a first-year student at Emory University School of Law, for her help with this article.