The way we communicate has changed dramatically in recent years, with businesses and individuals moving from traditional email to cloud-based collaboration platforms like Microsoft Teams, Slack, WhatsApp, Skype, and Telegram. As a litigator, you will inevitably need to obtain electronic communications stored on these platforms as part of discovery. But the process isn’t as simple as sending a subpoena—because the Stored Communications Act (SCA) is in play.
This week, we’re diving into a recent federal court decision that unpacks when and how you can compel a cloud service provider like Microsoft to produce user communications. Understanding this ruling is key for anyone trying to get—or protect—cloud-stored data in litigation.
What is the Stored Communications Act?
The SCA is part of the Electronic Communications Privacy Act (ECPA), enacted in 1986—long before the explosion of cloud computing. The law governs access to electronic communications stored by third-party providers and generally prohibits those providers from disclosing user content unless an exception applies. There are seven exceptions under the SCA, including consent, legal process, and authorized disclosure, but courts often struggle to interpret them in the modern digital landscape.
The Case: Seeking Cloud Data from Microsoft
In this recent decision, Sihler v. Microsoft Corp., the plaintiff sought Skype chat records from Microsoft related to an alleged scheme to defraud consumers. The defendant, David Flynn, had produced some Skype chats in the underlying case, but they were copied and pasted into a Word document—raising concerns about their completeness. Plaintiffs subpoenaed Microsoft for the full records, but Microsoft refused to comply, citing the SCA.
The key issue? Whether Flynn’s declaration, in which he expressly consented to Microsoft producing his chats, was enough to satisfy the SCA’s consent exception—or whether Microsoft’s own internal verification process controlled.
Microsoft’s Stance: The Need for Verification
Microsoft, like other cloud providers, follows a strict process before disclosing user data. The company argued that Flynn’s declaration wasn’t enough because he failed their verification process, which requires specific identity-confirming details. Microsoft further claimed that its law enforcement and national security division flagged inconsistencies in Flynn’s account information.
But here’s the kicker—Microsoft didn’t raise this verification issue until after the court had already ruled on the initial motion to compel. That delay became a key factor in the court’s ruling.
The Court’s Ruling: Consent is Enough
The court ultimately rejected Microsoft’s position, finding that Flynn’s sworn declaration met the requirements for lawful consent under the SCA. Importantly, the court emphasized:
- The declaration explicitly identified Flynn and his Skype account.
- It included language consenting to Microsoft’s disclosure of the records.
- It was made under penalty of perjury—a critical factor in the court’s analysis.
While the court acknowledged Microsoft’s commitment to user privacy, it ruled that the SCA does not require consent to be communicated in a provider’s preferred format. That means a verified declaration from a user can be sufficient to compel production, even if it doesn’t meet Microsoft’s internal verification standards.
Key Takeaways for Litigators
If you’re trying to obtain cloud-based communications in discovery, this case offers some essential lessons:
1. Know the SCA and Its Exceptions
Before issuing a subpoena for cloud-stored communications, understand which SCA exception you’ll rely on. Consent is often the best option, but it must be properly documented.
2. Use a Strong, Well-Drafted Declaration
The court placed significant weight on Flynn’s declaration because it was detailed, unambiguous, and made under penalty of perjury. If you’re obtaining consent from a party or witness, follow this format and include specifics about the account and data sought.
3. Be Ready to Challenge Provider Verification Requirements
Cloud providers have internal policies for responding to subpoenas, but those policies don’t override the SCA. If a provider refuses to comply, be prepared to argue that the declaration itself is sufficient under the law.
4. Act Quickly and Be Diligent
Microsoft’s delay in raising its verification objection was a deciding factor in the court’s ruling. If you’re on the other side of this issue—either seeking data or responding to a subpoena—timeliness matters.
Final Thoughts
This decision provides an important precedent for litigators seeking cloud-stored ESI. While Microsoft and other providers will continue to push for stricter verification processes, courts are showing a willingness to accept sworn declarations as a valid form of consent. If you’re dealing with third-party subpoenas for cloud data, take note—this ruling could make your job a whole lot easier.
For litigators navigating the Stored Communications Act, keeping up with evolving case law is essential. Courts continue to interpret its exceptions in different ways, particularly as cloud-based communication tools become more prevalent in litigation. Understanding these nuances can make the difference between obtaining critical evidence or hitting a roadblock.
Stay tuned for more case law insights on eDiscovery and discovery strategy. If you’ve encountered challenges with third-party subpoenas for cloud data, I’d love to hear your thoughts—these issues are only becoming more complex.
[View source.]
