Lee v. PMSI, Inc.

Lee v. PMSI, Inc.
United States District Court for the Middle District of Florida
Full case name WENDI J. LEE, Plaintiff, v. PMSI, INC., Defendant.
Date decided January 13, 2011
Judge sitting Steven Merryday
Case holding
Violating an employer's acceptable use policy is not a crime under the CFAA

Lee v. PMSI, Inc., No. 10-2094 (M.D. Florida January 13, 2011),[1] was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.

Background

The Computer Fraud and Abuse Act (CFAA) makes it illegal (with both civil and criminal penalties) to access a protected computer without authorization.[2] Courts have long debated whether the statute applies to an employee who violates an employer's internal acceptable use policy. That interpretation of the CFAA could mean that any employee who surfs the Internet, checks Facebook, or logs in to personal e-mail from work is guilty of a federal crime if the employer's workplace Internet use policy prohibits that behavior.[3]

Shortly before Lee v. PMSI, in its initial hearing on the case, the U.S. Ninth Circuit court of appeals ruled in United States v. Nosal that an employee violated the Computer Fraud and Abuse Act when he disobeyed an employer's Internet use restrictions.[4]

Case history

After being fired from her position as a proposal developer in PMSI's marketing department, Wendi Lee sued PMSI for pregnancy discrimination barred by the Civil Rights Act of 1964 and Florida's analogous law. After moving the case to federal court, PMSI moved to dismiss this claim. This motion was denied and PMSI subsequently filed an amended complaint claiming Lee violated the Computer Fraud and Abuse Act.[5]

Claims

PMSI Inc. argued Lee violated the CFAA because she engaged in “excessive internet usage” by “visit[ing] personal websites such as Facebook and monitor[ing] and [sending] personal email through her Verizon web mail account.”[3][6] They claimed her violations of the company's computer use policy cost the company more than $5,000 in wages to her and work that had to be performed by others.[5]

District court opinon

In May 2011 District Judge Merryday held that Lee's conduct did not exceed authorized access to her employer's computer in violation of the CFAA.[6][7] He said that the CFAA was meant to target hackers who steal information or destroy functionality, not employees who use the internet instead of working.[3][5][6] He points out that the CFAA defines "exceeding authorized access" as not just gaining access to a system without authorization, but also obtaining or altering information.[2] Because Lee never obtained or altered information by accessing her Facebook, email or news, she was not exceeding authorized access.[6]

The court described PMSI's claim of a $5000 loss "dubious"[5] and held that loss productivity is not a type of loss valid for suing under the CFAA.[3]

The court cites LVRC Holdings v. Brekka, which states that when an employer authorizes an employee to use a computer under certain limitations, the employee remains authorized to use the computer, even if they violate the conditions. Lee could only have gained "unauthorized access" in violation of the CFAA if PMSI had terminated her access and she attempted to use the computer without permission.[6]

The court concludes that the rule of lenity requires a restrained, narrow interpretation of the statue. Extending the CFAA to cover private employee misconduct is the role of the legislature, not the judiciary.[6]

Significance

This case was one of several which influenced the United States Court of Appeals for the Ninth Circuit en banc decision in United States v. Nosal. Like the district court in this case, the Ninth Circuit court found that definition of "exceeds authorized use" in the CFAA does not extend to violating acceptable use policies.[2][3][8]

Several attorneys cite this case as an example of "intimidation tactics" staged by employers in response to discrimination claims.[5][9]

See also

References

  1. Lee v. PMSI, Inc., U.S. (District Court for the Middle District of Florida, Tampa Division 2011).
  2. 2.0 2.1 2.2 "Statutory Interpretation - Computer Fraud and Abuse Act - Ninth Circuit Holds That Employees' Unauthorized Use of Accessible Information Did Not Violate the CFAA - United States v. Nosal". Harvard Law Review 126: 1454.
  3. 3.0 3.1 3.2 3.3 3.4 Greco, Michael. "Court: Using Facebook at Work Does Not Violate Computer Fraud Act". TLNT. Retrieved 4 March 2014.
  4. Kerr, Orin. "Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use "Exceeds Authorized Access" (Making It a Federal Crime)". The Volokh Conspiracy. Retrieved 4 March 2014.
  5. 5.0 5.1 5.2 5.3 5.4 Santalesa, Richard. "Use of Facebook at Work Does Not Violate the CFAA". Retrieved 4 March 2014.
  6. 6.0 6.1 6.2 6.3 6.4 6.5 Kerr, Orin. "Employer Sues Former Employee For Checking Facebook and Personal E-Mail and "Excessive Internet Usage" at Work". The Volokh Conspiracy. Retrieved 11 February 2014.
  7. Hofmann, Marcia. "2011 in Review: Hacking Law". Electronic Frontier Foundation. Retrieved 4 March 2014.
  8. Patterson, Kelsey (2012). "Narrowing It down to One Narrow View: Clarifying and Limiting the Computer Fraud and Abuse Act". Charleston Law Review 7: 489.
  9. "Stupid Employer Countersues Fired Pregnant Employee For Checking Facebook". The Spitz Law Firm. Retrieved 2014-04-07.

External links