The debate rages on concerning the scope and extent of the federal Computer Fraud & Abuse Act. In simple terms, the CFAA makes it unlawful to access a protected computer without authorization (or in excess of one's authorization) and to damage the computer or obtain information that one is not entitled to obtain. Originally a criminal statute, the CFAA also provides for a civil claim if certain conditions are met. Courts have long debated whether the statute applies in the context of an alleged faithless employee who accesses an employer's information contained on a computer for an improper competitive purpose. Regardless of the varied judicial opinions addressing this point, the United States District Court for the Middle District of Florida recently rejected as "dubious" a somewhat novel argument that an employee violated the CFAA by accessing Facebook and her personal email at work. (A copy of the Court's opinion is available in pdf format below.)
In Wendi Lee v. PMSI, Inc., Lee sued her former employer, PMSI, for pregnancy discrimination. PMSI counterclaimed under the CFAA stating that Lee engaged in "excessive internet usage" and "visit[ed] personal websites such as Facebook and monitor[ed] and [sent] personal email through her Verizon web mail account." In its opinion dismissing the CFAA claim, the Court began by noting the CFAA is originally a criminal statute designed to target hackers who access computers to steal information. The Court noted that some courts have permitted CFAA claims against employees who send an employer's trade secrets or proprietary information via email. Lee citing Shurgard Storage Centers v. Safeguard Self Storage (W.D. Wash. 2000). Notwithstanding these cases, the Court concluded that "[b]oth the letter and spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working."
The Court's conclusion was based on more than it's impression of the purpose underlying the CFAA. The Court examined the statute and observed that a CFAA violation occurs if a defendent damages a computer or obtains information to which the employee is not entitled. In this case, PMSI failed to allege that Lee somehow damaged its computers or accessed its information. The Court also recognized that a civil claim under the CFAA only exists if the alleged wrongful conduct causes a loss to one or more persons during a one-year period aggregating at least $5,000 in value. 18 USC. 1030(c)(4)(A)(i)(l). Despite PMSI's creative argument, the Court held that the "statute does not contemplate 'lost productivity' of an employee" as the type of loss required to sustain a CFAA claim.
No doubt, the debate over the scope and applicability of the CFAA will continue to unfold in courts across the country. Employers will continue to use the CFAA as a tool to protect their confidential and trade secret information, and eventually, the Supreme Court or Congress will likely address the split of opinion. Wherever the line may be drawn eventually, for now, at least, the line has not been so broadly drawn as to apply the statute to employees who spend too much time on the internet at work. Employers who seek to address this problem should do so through appropriately tailored written policies and careful implementation.
As always, we welcome your thoughts and input in the comment section below. Let us know your reaction to this Court's opinion.
Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP. To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.
Lee v. PMSI.pdf (29.40 kb)