Lee v. PMSI, Inc., No. 10-2094 (M.D. Florida January 13, 2011),[1] was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.
Lee v. PMSI, Inc. | |
---|---|
Court | United States District Court for the Middle District of Florida |
Full case name | WENDI J. LEE, Plaintiff, v. PMSI, INC., Defendant. |
Decided | January 13, 2011 |
Holding | |
Violating an employer's acceptable use policy is not a crime under the CFAA | |
Court membership | |
Judge sitting | Steven Merryday |
Background
editThe Computer Fraud and Abuse Act (CFAA) makes it illegal (with both civil and criminal penalties) to access a protected computer without authorization.[2] Courts have long debated whether the statute applies to an employee who violates an employer's internal acceptable use policy. That interpretation of the CFAA could mean that any employee who surfs the Internet, checks Facebook, or logs into personal e-mail from work is guilty of a federal crime if the employer's workplace Internet use policy prohibits that behavior.[3]
Shortly before Lee v. PMSI, in its initial hearing on the case, the U.S. Ninth Circuit court of appeals ruled in United States v. Nosal that an employee violated the Computer Fraud and Abuse Act when he disobeyed an employer's Internet use restrictions.[4]
Case history
editAfter being fired from her position as a proposal developer in PMSI's marketing department, Wendi Lee sued PMSI for pregnancy discrimination barred by the Civil Rights Act of 1964 and Florida's analogous law. After moving the case to federal court, PMSI moved to dismiss this claim. This motion was denied and PMSI subsequently filed an amended complaint claiming Lee violated the Computer Fraud and Abuse Act.[5]
Claims
editPMSI Inc. argued Lee violated the CFAA because she engaged in "excessive internet usage" by "visit[ing] personal websites such as Facebook and monitor[ing] and [sending] personal email through her Verizon web mail account."[3][6] They claimed her violations of the company's computer use policy cost the company more than $5,000 in wages to her and work that had to be performed by others.[5]
District court opinion
editIn May 2011 District Judge Merryday held that Lee's conduct did not exceed authorized access to her employer's computer in violation of the CFAA.[6][7] He said that the CFAA was meant to target hackers who steal information or destroy functionality, not employees who use the internet instead of working.[3][5][6] He points out that the CFAA defines "exceeding authorized access" as not just gaining access to a system without authorization, but also obtaining or altering information.[2] Because Lee never obtained or altered information by accessing her Facebook, email or news, she was not exceeding authorized access.[6]
The court described PMSI's claim of a $5000 loss "dubious"[5] and held that loss productivity is not a type of loss valid for suing under the CFAA.[3]
The court cites LVRC Holdings v. Brekka, which states that when an employer authorizes an employee to use a computer under certain limitations, the employee remains authorized to use the computer, even if they violate the conditions. Lee could only have gained "unauthorized access" in violation of the CFAA if PMSI had terminated her access and she attempted to use the computer without permission.[6]
The court concludes that the rule of lenity requires a restrained, narrow interpretation of the statue. Extending the CFAA to cover private employee misconduct is the role of the legislature, not the judiciary.[6]
Significance
editThis case was one of several which influenced the United States Court of Appeals for the Ninth Circuit en banc decision in United States v. Nosal. Like the district court in this case, the Ninth Circuit court found that definition of "exceeds authorized use" in the CFAA does not extend to violating acceptable use policies.[2][3][8]
Several attorneys cite this case as an example of "intimidation tactics" staged by employers in response to discrimination claims.[5][9]
See also
editReferences
edit- ^ Lee v. PMSI, Inc., U.S. (District Court for the Middle District of Florida, Tampa Division 2011).
- ^ a b c "Statutory Interpretation - Computer Fraud and Abuse Act - Ninth Circuit Holds That Employees' Unauthorized Use of Accessible Information Did Not Violate the CFAA - United States v. Nosal". Harvard Law Review. 126: 1454. March 20, 2013.
- ^ a b c d e Greco, Michael. "Court: Using Facebook at Work Does Not Violate Computer Fraud Act". TLNT. Retrieved March 4, 2014.
- ^ Kerr, Orin (April 28, 2011). "Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use "Exceeds Authorized Access" (Making It a Federal Crime)". The Volokh Conspiracy. Retrieved March 4, 2014.
- ^ a b c d e Santalesa, Richard. "Use of Facebook at Work Does Not Violate the CFAA". Retrieved March 4, 2014.
- ^ a b c d e f Kerr, Orin (May 17, 2011). "Employer Sues Former Employee For Checking Facebook and Personal E-Mail and "Excessive Internet Usage" at Work". The Volokh Conspiracy. Retrieved February 11, 2014.
- ^ Hofmann, Marcia (December 30, 2011). "2011 in Review: Hacking Law". Electronic Frontier Foundation. Retrieved March 4, 2014.
- ^ Patterson, Kelsey (2012). "Narrowing It down to One Narrow View: Clarifying and Limiting the Computer Fraud and Abuse Act". Charleston Law Review. 7: 489.
- ^ "Stupid Employer Countersues Fired Pregnant Employee For Checking Facebook". The Spitz Law Firm. Archived from the original on April 7, 2014. Retrieved April 7, 2014.
External links
edit- Text of Lee v. PMSI, INC. is available from: Justia Justia Docket Report