No Computer Fraud and Abuse Act Violation for Access of Facebook and Personal Email by Employee — Lee v. PMSI

[Post by Venkat Balasubramani]

Lee v. PMSI, 8:10 cv 2904 T 23TBM (M.D. Fla; May 6, 2011)

I blogged last week about US v. Nosal, a Ninth Circuit case where the Ninth Circuit held that access of a computer in violation of an employer’s acceptable use policy can support a criminal indictment under the Computer Fraud and Abuse Act. (“9th Cir: Access of Computer in Violation of Employer’s Use Policy Violates Computer Fraud and Abuse Act — US v. Nosal.”) One judge dissented in Nosal, noting the absurd claims that could flow from this ruling, including that an employee’s access of a website such as espn.com for personal purposes could now be rendered criminal if it violates the employer’s policy. The case from Florida involved an analogous scenario.

Lee sued PMSI, her employer, for pregnancy discrimination. PMSI counterclaimed, alleging that she violated the Computer Fraud and Abuse Act by engaging in “excessive internet usage” and “visiting personal websites such as Facebook.” PMSI also alleged that she violated the statute by “sending personal email through her Verizon web mail account.”

The court rejects the employer’s claims in a ruling that I’m surprised did not include stronger language directed at defense counsel. The court notes that the CFAA was designed to prevent hacking. According to the court, “[b]oth the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working.” [As a side note, if any such statute were enacted, we’d all be in trouble. I would be violating the statute as I write this blog post!]

The court notes that PMSI failed to allege that it suffered the requisite amount of damage as a result of Lee’s alleged violation. PMSI argued that the loss in productivity from Lee accessing her personal account satisfied this jurisdictional requirement, but the court rejects this argument, noting that “loss” must related to damage to the “system or data, rather than lack of productivity.” The court also notes that there was no allegation by PMSI that Lee “obtained or alter[ed] information in the computer” which she accessed – she merely accessed third party websites. (Although the legal theories are different, this case is reminiscent of Intel v. Hamidi, where the California Supreme Court held that a departing employee could not be held liable under a trespass to chattels theory for sending mass emails to Intel because there was no showing of damage to Intel’s servers.)

The court dismisses the claims with prejudice. The court does not cite to Nosal, which represents a sharp departure from Brekka. I guess you can say that the jurisdictional threshold places some sort of limitation on the far reaching implications of Nosal, but given the ease with with parties can allege the jurisdictional threshold, I’m not sure this limitation is very meaningful. Nosal is still a disturbing ruling for the reasons stated in the dissenting judge’s opinion.

Other coverage:

Evan Brown: “Employee did not violate Computer Fraud and Abuse Act by checking Facebook and personal email at work

Info. Law Group: “District Ct. Holds Use of Facebook at Work Does Not Violate the CFAA

Related post:

9th Cir: Access of Computer in Violation of Employer’s Use Policy Violates Computer Fraud and Abuse Act — US v. Nosal