Attorney General's Opinion
Attorney General, Richard Blumenthal
September 11, 2002
The Honorable John P. Burke
State of Connecticut
Department of Banking
260 Constitution Plaza
Hartford, CT 06103-1800
Dear Commissioner Burke:
I am writing in response to your request for a formal opinion as to whether the Department of Banking ("Department") has the authority to reimburse an electronic service provider for reasonable costs associated with complying with an administrative subpoena, in light of the requirements imposed by the Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2706 ("ECPA") and section 36b-26(b) of the Connecticut Uniform Securities Act ("Act"). You have requested an opinion regarding the following issues:
- Does the ECPA require the Department to reimburse the subject of an administrative subpoena for compliance with a subpoena duces tecum?
- Is there any Connecticut statutory authority for the Department to expend agency funds to compensate the subject of an administrative subpoena for compliance with such subpoena?
- Is there any Connecticut statutory authority that entitles the subject of an administrative subpoena to the costs associated with complying with such subpoena?
- If the answer to questions 2 or 3 is no, would the ECPA control absent a court order or state statutory authority?
- If the answer to question 4 is yes, under what theory?
- If you conclude that the ECPA controls, what is the current status of the previous opinions issued by your office?
Based upon the following discussion, it is our opinion that the ECPA requires a governmental entity, including a state agency, to reimburse the provider of information, communications, or records that fall within section 2703 of the ECPA. 18 U.S.C. § 2703(b) and 2706. Section 2703(b)(B) entitles a state agency to obtain from the provider of a "remote computing service" the contents of any electronic communication with prior notice from the agency to the subscriber or customer if the governmental entity uses an administrative subpoena authorized by a state statute. 18 U.S.C. § 2703(b)(B). The ECPA defines "remote computing service" as "the provision to the public of computer storage or processing services by means of an electronic communications system." 18 U.S.C. § 2711(2). Section 2706 of the ECPA requires reimbursement to an entity or person who provides information to the agency pursuant to section 2703(b)(B). The absence of state law specifically authorizing payment to the provider of information under the ECPA or general principles of state law that do not support payment would be preempted by the express federal statutory mandate requiring reimbursement if the information obtained by the agency pursuant to subpoena falls within the scope of the ECPA.
The purpose of the Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2701 et seq. ("ECPA"), is to protect against the unauthorized interception of electronic communications. Senate Report No. 99-541, p.1. Section 2702 of the ECPA prohibits a person or entity who provides an electronic communication service or remote computing service to the public from knowingly divulging the contents of a communication which is carried or stored on that service. Exceptions to this prohibition allow governmental entities to obtain information under specific circumstances. Section 2703(b)(B) of the ECPA allows disclosure to state agencies pursuant to an administrative subpoena. Section 2703(b)(B) is relevant to the administrative subpoenas issued by the Department of Banking. Section 2703(b) provides in relevant part:
The term "remote computing service" is defined in the ECPA as "the provision to the public of computer storage or processing services by means of an electronic communications system." 18 U.S.C. § 2711(2).1
Section 2706 of the ECPA requires reimbursement for costs associated with the production of information pursuant to an administrative subpoena as follows:
Section 36b-26(b) of the Connecticut Uniform Securities Act authorizes the Commissioner of the Department to issue administrative subpoenas. Section 36b-26(b) provides, in relevant part,
As you noted in your request for this opinion, the Connecticut statute does not expressly authorize the Department to reimburse the subject of a subpoena for costs associated with compliance with the subpoena. However, the Department is required to comply with the ECPA, which provides the Department with authorization to reimburse costs that fall within the scope of section 2703(b)(B) of the ECPA.
Therefore, if the Department obtains information pursuant to an administrative subpoena from an entity or person who provides to the public computer storage or processing services by means of an electronic communications system, it is required under federal law to reimburse reasonable costs. It should also be noted that the ECPA requires the Department to give prior notice to the subscriber or customer if the Department uses an administrative subpoena authorized by state statute.
As you note in your request, this Office has previously opined that a state agency may reimburse the subject of an administrative subpoena for compliance with the subpoena only if authorized by statute or court order.2 These opinions are consistent with our conclusion in this case because the ECPA is the statutory authority that allows and mandates reimbursement when information is provided within the scope of the ECPA. In addition, it is important to note that the prior Attorney General opinions cited in your request pre-date the ECPA and do not involve the issuance of a subpoena to a provider of a remote computing service. To the extent that Connecticut law may be interpreted in a way that conflicts with the narrow application of the ECPA, the federal statute would preempt state law.
The law regarding federal preemption is well established. Under the Supremacy Clause of article VI of the federal Constitution, Congress may enact laws that preempt state or local law.
To the extent that Connecticut law may be interpreted to mean that costs may not be reimbursed, conflict preemption would require compliance with the federal statute. It would be impossible to follow both the ECPA mandate requiring reimbursement of costs and general principles of state law that do not support reimbursement for costs incurred in complying with an administrative subpoena. Of course, preemption is narrowly applied. Therefore, costs are only to be paid where the ECPA applies. Specifically, costs should only be reimbursed pursuant to section 2706 of the ECPA when the Department has obtained information from a provider of remote computer services within the scope of section 2703(b) of the ECPA. The principles set out in the previous Attorney General Opinions would continue to apply where the ECPA does not apply.
Thus, in response to your first question, if the Department obtains information pursuant to an administrative subpoena from a person or entity who provides to the public computer storage or processing services by means of an electronic communications system, the ECPA requires reimbursement by the Department for reasonable costs. With regard to your second question, the ECPA provides statutory authorization for payment of such costs. In response to questions three and four, the ECPA would control when applicable and require the payment of reasonable costs notwithstanding the absence of a court order or state statutory authority. With regard to your fifth question, the federal law would preempt any conflicting state law or policy only where the ECPA applies. Finally, with regard to your last question, the previous Attorney General Opinions would continue to apply in cases not involving the ECPA until such time as the state law may change.
We hope that this information is of assistance to you. Please do not hesitate to call me if you have any questions or comments regarding this matter.
Very truly yours,
Joan C.G. Grear
Assistant Attorney General
1The term "remote computer service" under the ECPA has been applied in two federal district court decisions. The federal district court in the Northern District of California held that an online retailer, Amazon .com, Inc., did not provide electronic communication service or remote computing service within the meaning of the ECPA. The retailer had to purchase electronic communication service from a provider and did not independently provide such service to the public even though it could communicate with customers through e-mail. Crowley v. Cybersource Corp., 166 F.Supp. 2d 1263, 1270 (N.D. Cal. 2001). An electronic bulletin board system was held to constitute a "remote computing service" within the definition of section 2711 of the ECPA in Steve Jackson Games, Inc. v. U.S. Secret Service, 816 F.Supp. 432 (W.D. Tex 1993) affirmed 36 F.3d 457 (5th Cir. 1994).
2Honorable Stephen B. Heintz, May 7, 1986; The Honorable David H. Neiditz, December 1, 1980; 1976 WL 29907, Honorable Sandra Biloon, September 8, 1976.