Lee v. PMSI, Inc.

Lee v. PMSI, Inc., No. 10-2094 (M.D. Florida January 13, 2011), was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.

Background
The Computer Fraud and Abuse Act (CFAA) makes it illegal (with both civil and criminal penalties) to access a protected computer without authorization. Courts have long debated whether the statute applies to an employee who violates an employer's internal acceptable use policy. That interpretation of the CFAA could mean that any employee who surfs the Internet, checks Facebook, or logs into personal e-mail from work is guilty of a federal crime if the employer's workplace Internet use policy prohibits that behavior.

Shortly before Lee v. PMSI, in its initial hearing on the case, the U.S. Ninth Circuit court of appeals ruled in United States v. Nosal that an employee violated the Computer Fraud and Abuse Act when he disobeyed an employer's Internet use restrictions.

Case history
After being fired from her position as a proposal developer in PMSI's marketing department, Wendi Lee sued PMSI for pregnancy discrimination barred by the Civil Rights Act of 1964 and Florida's analogous law. After moving the case to federal court, PMSI moved to dismiss this claim. This motion was denied and PMSI subsequently filed an amended complaint claiming Lee violated the Computer Fraud and Abuse Act.

Claims
PMSI Inc. argued Lee violated the CFAA because she engaged in "excessive internet usage" by "visit[ing] personal websites such as Facebook and monitor[ing] and [sending] personal email through her Verizon web mail account." They claimed her violations of the company's computer use policy cost the company more than $5,000 in wages to her and work that had to be performed by others.

District court opinion
In May 2011 District Judge Merryday held that Lee's conduct did not exceed authorized access to her employer's computer in violation of the CFAA. He said that the CFAA was meant to target hackers who steal information or destroy functionality, not employees who use the internet instead of working. He points out that the CFAA defines "exceeding authorized access" as not just gaining access to a system without authorization, but also obtaining or altering information. Because Lee never obtained or altered information by accessing her Facebook, email or news, she was not exceeding authorized access.

The court described PMSI's claim of a $5000 loss "dubious" and held that loss productivity is not a type of loss valid for suing under the CFAA.

The court cites LVRC Holdings v. Brekka, which states that when an employer authorizes an employee to use a computer under certain limitations, the employee remains authorized to use the computer, even if they violate the conditions. Lee could only have gained "unauthorized access" in violation of the CFAA if PMSI had terminated her access and she attempted to use the computer without permission.

The court concludes that the rule of lenity requires a restrained, narrow interpretation of the statue. Extending the CFAA to cover private employee misconduct is the role of the legislature, not the judiciary.

Significance
This case was one of several which influenced the United States Court of Appeals for the Ninth Circuit en banc decision in United States v. Nosal. Like the district court in this case, the Ninth Circuit court found that definition of "exceeds authorized use" in the CFAA does not extend to violating acceptable use policies.

Several attorneys cite this case as an example of "intimidation tactics" staged by employers in response to discrimination claims.