In Episode 167, Kelly Twigger discusses when and how a party can navigate the Stored Communications Act to seek data from a third party cloud provider via subpoena in Sihler v. Microsoft Corp.
Introduction
Hi and welcome to our Case of the Week segment on our podcast. My name is Kelly Twigger. I am the Principal at ESI Attorneys, a law firm for ediscovery and information law, and the CEO and founder at eDiscovery Assistant, where we take the insights from our practice and provide a knowledge platform for you to leverage the power of Electronically Stored Information (ESI). Thanks so much for joining me today.
Hopefully, many of you had the chance to participate in the University of Florida eDiscovery Conference last week. We had more than 3,000 participants worldwide virtually and the content was incredible. Thank you to all of my fellow members of the planning committee, including Bill Hamilton and Maribel Rivera, for all of their efforts in putting the conference together. If you registered and weren’t able to participate or see all of the panels, keep an eye on your inbox, as all registrants will have access to the content virtually for six months, and you should see that either this week or next.
Now that UF is wrapped up, we are five weeks away from LegalWeek in New York City. Our entire team at eDiscovery Assistant will be at the show, and we are going to have some exciting announcements to share with you. We’d love to see you. So if you aren’t already signed up, please sign up at our blog to receive an email invitation to stop by our suite. You can also submit this form and we’ll reach out as soon as we get started scheduling those meetings.
On with our show.
This week’s decision is incredibly important, as firms and companies have been increasingly moving their data to the cloud over the last five years. Since the pandemic, the use of Microsoft Teams, Slack, google apps — all these collaboration tools have completely skyrocketed, meaning that it is highly likely that you will have to look at some cloud repository to find the ESI you need for your case, no matter what size that case is.
For those of you that are new to the broadcast, when I say storing data in the cloud, I mean using some other service to host data for you. Instead of you having it in your office on an email server, you host your email with Google Mail or Microsoft or some other web-based mail application. It can be Slack, Office, google docs, your HR software, your benefits platforms, social media, instant messaging applications like WhatsApp and so many different forms of communication that you use every day. Start paying attention and asking yourself whether those are cloud-based applications that you’ll need to know how to get in discovery. Sometimes that data can be collected via the platform, like text messages from a phone, and sometimes you’ll need to go to the source that hosts the data to get it. That’s the issue in today’s decision, and that means that the Stored Communications Act comes into play.
So what is the Stored Communications Act? The SCA is Title II of the Electronic Communications Privacy Act, or the ECPA, and it was enacted a very long time ago in 1986, way before Al Gore invented the internet. The SCA covers access to electronic information that is stored in third-party computers or, as I discussed before, in the cloud. The ECPA, and therefore the SCA, generally prohibits a service provider from disclosing the contents of an account holder’s communications unless one of several exceptions apply. There are seven different exceptions. I’m not going to go through them all today, but I’ll provide a list of them as we follow up on this podcast. They are, just by name: authorized disclosure, incidental disclosure, consent, legal process, emergency, the National Center for Missing and Exploited Children and foreign government.
The exception at issue in our decision today is consent and whether a provider may disclose communications “with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of a remote computing service.” That’s the language specifically from the SCA on consent.
Facts
Today’s decision comes to us from Sihler v. Microsoft Corp. This is a decision from January 15, 2025, from United States District Judge Tana Lin. Judge Lin has 22 decisions in our eDiscovery Assistant database on discovery issues, and the issues as tagged for today’s decision include Skype, Stored Communications Act, third-party subpoena, privacy, cloud computing and instant messaging.
This is a case brought where Microsoft resides in Seattle to compel the production of documents pursuant to a third-party subpoena on Microsoft for an action that’s actually pending in the Middle District of Florida. So, a third-party subpoena against Microsoft, that Microsoft did not comply with, and the plaintiff was forced to bring a motion to compel. The underlying action pending in the Middle District of Florida arises out of an alleged scheme to defraud consumers in connection with the sale of sham weight loss pills for which the plaintiffs were not able to receive refunds.
The subpoena at issue here sought the records of Skype chats between David Flynn, one of the Keto Associates, who’s a defendant in the underlying action, and several other named accounts and individuals. The subpoena itself requested records from January 1, 2019 and December 31, 2023, based on plaintiff’s allegations that the defendants and Keto Associates orchestrated their scheme in part through Skype conversations, specifically advising the Keto Associates, including Flynn, on how to structure the financial back end of the scheme. Flynn produced some Skype chats in the underlying district action in Florida by cutting them and pasting them into a Word document that petitioners assert was incomplete on their face, which sounds realistic. The petitioners argue that they had a distinct need for the requested documents in order to ensure the completeness of conversations produced by Mr. Flynn and that Mr. Flynn may have also participated in group conversations, which they also want.
On the initial motion to compel, which was heard in December 2024, District Judge Lin granted that motion and Microsoft then moved for reconsideration, which is what we’re before the Court on today. In its motion for reconsideration, Microsoft adds what it believes to be new information regarding the lack of verification of Mr. Flynn’s identity regarding his accounts and questioning whether or not the consent exception to the Stored Communications Act had been met, as the Court found on the original motion to compel.
In support of Microsoft’s position on this motion for reconsideration, the plaintiffs submitted a declaration from Flynn that was obtained in the related federal litigation in Florida, and in that declaration Flynn identifies his Skype screen name and explains that he made screenshots and exports of various Skype and Telegram chats, which he provided to the petitioners. He concludes, “I understand Plaintiffs’ counsel may seek to subpoena additional Skype chats in additional litigation in which Plaintiffs or Plaintiffs’ counsel is engaged. I hereby consent to any third party, including Microsoft, producing to Plaintiffs or Plaintiffs’ counsel any Skype chats in their possession, custody or control that include me or my Skype ID if such Skype chats or conversations include any of the following individuals or Skype IDs.” He then goes on to list the names and screen IDs for each of the individuals that he would have communicated with.
The declaration goes on to say that “This consent to production applies without regard to whether I have been removed from the chat or conversation or have cleared the chat or conversation history or otherwise no longer have access to the chats or conversations in question.” and “I hereby declare the above statements are true and correct under the penalty of perjury under Federal law.”
I gave you that quoted language for two important reasons. One, it’s good language and the court here finds that it’s sufficient to establish lawful consent under the SCA. So you’ll want to put that in your back pocket and have it if you’re trying to seek information from a cloud service provider that has a verification process. Second, it’s really important here that the “under penalty of perjury” language is included in that declaration. That’s something the Court relies on heavily here.
In essence, the fight here is over whether or not Flynn’s declaration is sufficient to show the lawful consent under the ECPA. And, no surprise, the ECPA is silent as to what lawful consent means. Microsoft’s argument is a little bit vague from the Court’s decision, but it appears to be that Microsoft has a verification process for establishing consent through the use of a specific form, the information on which is then verified, and that Mr. Flynn’s form failed Microsoft’s verification process. According to Microsoft, “If a purported accountholder fails [Microsoft’s] verification process, [Microsoft] does not view the unverified consent as sufficient under the ECPA to disclose the content of communications.”
Microsoft also stated that its Law Enforcement National Security division determined that the information provided in the verification form from Flynn was incomplete or did not match the registration data on the account, and Microsoft noted that it told plaintiffs of that failure prior to the Court’s December order on the motion to compel. It was after the briefing had closed on the motion, but before the Court had issued its ruling on the motion to compel. There’s nothing in the decision, however, that says that Microsoft actually informed the Court about that failure.
However, despite this alleged failure, Microsoft could not tell the plaintiffs or the Court why the consent form failed, pointing to security reasons for why Microsoft could not “point to which data point doesn’t match.” So without that information, the Court was really at a loss to be able to evaluate whether or not that verification process was necessary.
So the question before the Court is whether the alleged failed verification changes the Court’s analysis and the SCA precludes Microsoft from producing the documents requested by the plaintiff’s subpoena. Remember that the Court has already ruled on the motion to compel that, in fact, Microsoft should produce those documents, and Microsoft is saying that this second form verification failure changes the dynamic and means that the SCA is still in play.
Microsoft wants additional information on their verified form to provide consent. Plaintiffs argued that 1) Microsoft could have raised this issue in its briefing on the prior motion and failed to do so, and, 2) that the ECPA does not require consent to be verified on Microsoft’s preferred form.
This is a significant ruling for Microsoft. What you have to remember is that Microsoft receives thousands of subpoenas and requests for information every year. They host petabytes upon petabytes of data, especially since so many organizations have moved to using Microsoft Teams and hosting their email with Microsoft. It’s incredibly important for them to have parameters around how and when they have to respond to requests and what that response is required under the ECPA. Having an established process that must be met is critical for them and for any cloud provider who will get asked for data. So the Court’s decision here has tremendous bearing on what Microsoft can require going forward, at least in this Court.
Analysis
Now, with that in mind, let’s look at the Court’s analysis.
The Court looked initially at the timing of Microsoft’s raising the alleged failed verification the second time and found that it was not raised in a timely manner. Microsoft flagged one issue on the original form submitted by Flynn, but failed to look at any other issues at the same time. That was one factor the Court considered. Flynn then submitted a second verification form that contained five pieces of information, and counsel failed to verify it for almost a month, during which the briefing on the motion to compel closed. According to the Court:
This course of behavior suggests that Respondent was not diligent in processing Flynn’s verification form and notifying Petitioners of any issues, thus resulting in the Court’s Order based on outdated information and the instant motion. On this ground alone, the motion could be denied as based on ‘evidence … that could reasonably have been raised earlier in the litigation.’
The Court then turned to the ECPA issue and the consent exception that allowed for production on the initial motion to compel. The parties dispute what’s required to show lawful consent under the ECPA. The statute is silent as to what that phrase means. Super helpful, right. And, as the Court points out, “[C]ase law provides little guidance. In the absence of a clear rule or even a guiding standard, service providers like Respondents are left to make their best guess as to what constitutes ‘lawful consent’ such that they can lawfully comply with the ECPA.”
Looking at the facts here, the Court found that Flynn’s declaration made a sufficient showing of lawful consent under the SCA. The Court is careful to say that it does not “purport to create a rule or standard here.” That’s really significant because, as I’m telling you, I think that the ruling does create a rule. But it did find that Flynn’s declaration identified himself and his Skype account, explicitly consented to respondents’ disclosure of his communications, and is authored under penalty of perjury. Remember I mentioned to you that the Court puts a lot of weight on that, and it’s key. The affidavit and declaration are the ways in which the Federal Rules of Civil Procedure provide for parties to provide testimony in those formats.
Other facts supported the finding — including that Flynn later twice completed respondent’s verification form, where he again identified himself and his Skype account, and explicitly consented to respondents’ disclosure of his communications and answered under penalty of perjury. On the form, Flynn answered additional questions, including the approximate date of his account creation, the email address provided at the time of creation, the country selected at the time of registration, the approximate date of his last login, and up to three contacts from his contacts list. Petitioners also supplied Skype screenshots and chats provided by Flynn, which was further evidence that Flynn was the actual account holder. So you’re looking at actual messages that tie the account name and information he’s giving you to actual chats in which it was used.
The Court took all that information and also looked at two different cases the In re Akhmedova and Super Vitaminas, S.A., both of which established lawful consent through declarations and rejected the notion that only the verification process by the provider was sufficient to establish lawful consent. In concluding, as had both courts in the cases I just mentioned, the Court commended Microsoft for its commitment to its users’ privacy, but found that the ECPA does not require consent to be communicated in respondent’s preferred manner. Nor does anything in the ECPA require consent to be unlimited in scope.
Takeaways
With that holding, what are our takeaways?
This is a really key case. If you’re going to ask for data from a third-party provider, and it’s likely you will have to if you haven’t already, you need to know about the Stored Communications Act and be prepared to meet one of the exceptions to have a court order production. If you go into eDiscovery Assistant, you can use the Stored Communications Act issue tag to be able to find cases in your jurisdiction that deal with the Stored Communications Act. I suggest also using a search term for the specific name of the exception that you’re looking for. Here, if you use Stored Communications Act and consent, you come right to cases that address the case law on consent as an exception to the SCA.
Also, as we saw here and as is detailed in the In re Akhmedova case, as cited by the Court, cloud providers have their own verification processes that they want you to follow and they are willing to go to court to preclude production until you do, or until they get a court ordering them to produce documents. If you are arguing against that verification process or the denial of a verification for consent, you need to understand today’s ruling and the decisions that the court relies on to allow for a declaration with sufficient information in it to meet that lawful consent requirement. Look at the declaration that is actually listed in the decision from today. Make sure that you’ve covered all of the boxes that we checked on all the information that’s included there, as well as it being filed under penalty of perjury.
However, with all of that being said, you must also be willing to go to court to compel production and ensure that what you have done is needed to establish lawful consent. It’s going to be very specific, but the case law here and the declaration from Flynn that’s included gives you that good guidance. Take a look at it, follow it. Know the SCA and its terms. I get at least one phone call a week asking for help to subpoena third party services like Microsoft, Meta, Tiktok, etc. The process is provided under Rule 45 for third party subpoenas, but you need to establish one of the exceptions under the SCA to get the data and you need to be willing to go to the mattresses to get it, because it won’t be quick and it won’t be cheap.
The last point I’ll make to you is this. If you’re on the other side verifying the process, like Microsoft did here, this decision today puts you on notice that it needs to be done pretty quickly. In this particular situation, the parties were exchanging forms while they were briefing the motion to compel, so sitting on these items when you’ve got plaintiffs that are willing to move forward on a motion to compel is going to end up costing time and money.
Conclusion
That’s our Case of the Week for this week. Be sure to tune in for our next episode, whether you’re watching us via our blog, YouTube, or downloading it as a podcast on your favorite podcast platform. You can also find back issues of Case of the Week on your favorite podcast platform and be sure to subscribe, as we’ll be adding new content apart from the Case of the Week segments. There are some exciting things coming with the podcast in the next couple of weeks, and we look forward to sharing those with you. Have a great week!
As always, if you have suggestions for a case to be covered on the Case of the Week, drop me a line. If you’d like to receive the Case of the Week delivered directly to your inbox via our weekly newsletter, you can sign up on our blog. If you’re interested in doing a free trial of our case law and resource database, you can sign up to get started.
