Lee v. PMSI, Inc.

Lee v. PMSI, Inc.
Lee v. PMSI, Inc.
Court	United States District Court for the Middle District of Florida
Full case name	WENDI J. LEE, Plaintiff, v. PMSI, INC., Defendant.
Decided	January 13, 2011
Holding
	Violating an employer's acceptable use policy is not a crime under the CFAA
Court membership
Judge(s) sitting	Steven Merryday

Last updated June 13, 2023

Lee v. PMSI, Inc., No. 10-2094 (M.D. Florida January 13, 2011),^[1] was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.

Background

The Computer Fraud and Abuse Act (CFAA) makes it illegal (with both civil and criminal penalties) to access a protected computer without authorization.^[2] Courts have long debated whether the statute applies to an employee who violates an employer's internal acceptable use policy. That interpretation of the CFAA could mean that any employee who surfs the Internet, checks Facebook, or logs into personal e-mail from work is guilty of a federal crime if the employer's workplace Internet use policy prohibits that behavior.^[3]

Shortly before Lee v. PMSI, in its initial hearing on the case, the U.S. Ninth Circuit court of appeals ruled in United States v. Nosal that an employee violated the Computer Fraud and Abuse Act when he disobeyed an employer's Internet use restrictions.^[4]

Case history

After being fired from her position as a proposal developer in PMSI's marketing department, Wendi Lee sued PMSI for pregnancy discrimination barred by the Civil Rights Act of 1964 and Florida's analogous law. After moving the case to federal court, PMSI moved to dismiss this claim. This motion was denied and PMSI subsequently filed an amended complaint claiming Lee violated the Computer Fraud and Abuse Act.^[5]

Claims

PMSI Inc. argued Lee violated the CFAA because she engaged in "excessive internet usage" by "visit[ing] personal websites such as Facebook and monitor[ing] and [sending] personal email through her Verizon web mail account."^[3]^[6] They claimed her violations of the company's computer use policy cost the company more than $5,000 in wages to her and work that had to be performed by others.^[5]

District court opinion

In May 2011 District Judge Merryday held that Lee's conduct did not exceed authorized access to her employer's computer in violation of the CFAA.^[6]^[7] He said that the CFAA was meant to target hackers who steal information or destroy functionality, not employees who use the internet instead of working.^[3]^[5]^[6] He points out that the CFAA defines "exceeding authorized access" as not just gaining access to a system without authorization, but also obtaining or altering information.^[2] Because Lee never obtained or altered information by accessing her Facebook, email or news, she was not exceeding authorized access.^[6]

The court described PMSI's claim of a $5000 loss "dubious"^[5] and held that loss productivity is not a type of loss valid for suing under the CFAA.^[3]

The court cites LVRC Holdings v. Brekka , which states that when an employer authorizes an employee to use a computer under certain limitations, the employee remains authorized to use the computer, even if they violate the conditions. Lee could only have gained "unauthorized access" in violation of the CFAA if PMSI had terminated her access and she attempted to use the computer without permission.^[6]

The court concludes that the rule of lenity requires a restrained, narrow interpretation of the statue. Extending the CFAA to cover private employee misconduct is the role of the legislature, not the judiciary.^[6]

Significance

This case was one of several which influenced the United States Court of Appeals for the Ninth Circuit en banc decision in United States v. Nosal . Like the district court in this case, the Ninth Circuit court found that definition of "exceeds authorized use" in the CFAA does not extend to violating acceptable use policies.^[2]^[3]^[8]

Several attorneys cite this case as an example of "intimidation tactics" staged by employers in response to discrimination claims.^[5]^[9]

Related Research Articles

An acceptable use policy (AUP), acceptable usage policy or fair use policy is a set of rules applied by the owner, creator or administrator of a computer network website, or service that restricts the ways in which the network, website or system may be used and sets guidelines as to how it should be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers (ISPs), and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

Respondeat superior is a doctrine that a party is responsible for acts of their agents. For example, in the United States, there are circumstances when an employer is liable for acts of employees performed within the course of their employment. This rule is also called the master-servant rule, recognized in both common law and civil law jurisdictions.

Computer trespass is a computer crime in the United States involving unlawful access to computers. It is defined under the Computer Fraud and Abuse act.

The National Information Infrastructure Protection Act was Title II of the Economic Espionage Act of 1996, as an amendment to the Computer Fraud and Abuse Act.

United States v. Drew, 259 F.R.D. 449, was an American federal criminal case in which the U.S. government charged Lori Drew with violations of the Computer Fraud and Abuse Act (CFAA) over her alleged cyberbullying of her 13-year-old neighbor, Megan Meier, who had committed suicide. The jury deadlocked on a felony conspiracy count and acquitted Drew of three felony CFAA violations, but found her guilty of lesser included misdemeanor violations; the judge overturned these convictions in response to a subsequent motion for acquittal by Drew.

Honest services fraud is a crime defined in 18 U.S.C. § 1346, added by the United States Congress in 1988, which states "For the purposes of this chapter, the term scheme or artifice to defraud includes a scheme or artifice to deprive another of the intangible right of honest services."

Facebook, Inc. v. Power Ventures, Inc. is a lawsuit brought by Facebook in the United States District Court for the Northern District of California alleging that Power Ventures Inc., a third-party platform, collected user information from Facebook and displayed it on their own website. Facebook claimed violations of the CAN-SPAM Act, the Computer Fraud and Abuse Act ("CFAA"), and the California Comprehensive Computer Data Access and Fraud Act. According to Facebook, Power Ventures Inc. made copies of Facebook's website during the process of extracting user information. Facebook argued that this process causes both direct and indirect copyright infringement. In addition, Facebook alleged this process constitutes a violation of the Digital Millennium Copyright Act ("DMCA"). Finally, Facebook also asserted claims of both state and federal trademark infringement, as well as a claim under California's Unfair Competition Law ("UCL").

Ontario v. Quon, 560 U.S. 746 (2010), is a United States Supreme Court case concerning the extent to which the right to privacy applies to electronic communications in a government workplace. It was an appeal by the city of Ontario, California, from a Ninth Circuit decision holding that it had violated the Fourth Amendment rights of two of its police officers when it disciplined them following an audit of pager text messages that discovered many of those messages were personal in nature, some sexually explicit. The Court unanimously held that the audit was work-related and thus did not violate the Fourth Amendment's protections against unreasonable search and seizure.

United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws. The decision was the first by a U.S. court to refer to "the Internet", which it described simply as "a national computer network."

LVRC Holdings v. Brekka 581 F.3d 1127, 1135 is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 and are the current law in this circuit.

United States v. Nosal, 676 F.3d 854 was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.

In United States v. John, 597 F.3d 263 (2010) United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.

In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.

<i>United States v. Swartz</i> American court case

In United States of America v. Aaron Swartz, Aaron Swartz, an American computer programmer, writer, political organizer and Internet activist, was prosecuted for multiple violations of the Computer Fraud and Abuse Act of 1986 (CFAA), after downloading academic journal articles through the MIT computer network from a source (JSTOR) for which he had an account as a Harvard research fellow. Facing trial and the possibility of imprisonment, Swartz committed suicide, and the case was consequently dismissed.

Craigslist Inc. v. 3Taps Inc., 942 F.Supp.2d 962 was a Northern District of California Court case in which the court held that sending a cease-and-desist letter and enacting an IP address block is sufficient notice of online trespassing, which a plaintiff can use to claim a violation of the Computer Fraud and Abuse Act.

<i>Pulte Homes, Inc. v. Laborers International Union</i>

Pulte Homes, Inc. v. Laborers' International Union of North America, 648 F.3d 295, is a Sixth Circuit Court of Appeals case that reinstated a Computer Fraud and Abuse Act ("CFAA") claim brought by an employer against a labor union for "bombarding" the company's phone and computer systems with emails and voicemail, making it impossible for the company to communicate with customers. It held that causing a transmission that diminishes a plaintiff's ability to use its systems and data constitutes "causing damage" in violation of the CFAA.

<i>United States v. Kane</i> United States federal court case involving video poker software

United States v. Kane, No 11-mj-00001, is a court case where a software bug in a video poker machine was exploited to win several hundred thousand dollars. Central to the case was whether a video poker machine constituted a protected computer and whether the exploitation of a software bug constituted exceeding authorized access under Title 18 U.S.C. § 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA). Ultimately, the Court ruled that the government’s argument failed to sufficiently meet the “exceeding authorized access” requirement of Title 18 U.S.C. § 1030(a)(4) and granted the Defendants’ Motions to Dismiss.

hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, was a United States Ninth Circuit case about web scraping. The 9th Circuit affirmed the district court's preliminary injunction, preventing LinkedIn from denying the plaintiff, hiQ Labs, from accessing LinkedIn's publicly available LinkedIn member profiles. hiQ is a small data analytics company that used automated bots to scrape information from public LinkedIn profiles.

Van Buren v. United States, 593 U.S. ___ (2021), was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a circuit split in case law, and the Court's decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.

References

↑ Lee v. PMSI, Inc., U.S. (District Court for the Middle District of Florida, Tampa Division2011).
1 2 3 "Statutory Interpretation - Computer Fraud and Abuse Act - Ninth Circuit Holds That Employees' Unauthorized Use of Accessible Information Did Not Violate the CFAA - United States v. Nosal". Harvard Law Review. 126: 1454. 20 March 2013.
1 2 3 4 5 Greco, Michael. "Court: Using Facebook at Work Does Not Violate Computer Fraud Act". TLNT. Retrieved 4 March 2014.
↑ Kerr, Orin (28 April 2011). "Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use "Exceeds Authorized Access" (Making It a Federal Crime)". The Volokh Conspiracy. Retrieved 4 March 2014.
1 2 3 4 5 Santalesa, Richard. "Use of Facebook at Work Does Not Violate the CFAA" . Retrieved 4 March 2014.
1 2 3 4 5 6 Kerr, Orin (17 May 2011). "Employer Sues Former Employee For Checking Facebook and Personal E-Mail and "Excessive Internet Usage" at Work". The Volokh Conspiracy. Retrieved 11 February 2014.
↑ Hofmann, Marcia (30 December 2011). "2011 in Review: Hacking Law". Electronic Frontier Foundation. Retrieved 4 March 2014.
↑ Patterson, Kelsey (2012). "Narrowing It down to One Narrow View: Clarifying and Limiting the Computer Fraud and Abuse Act". Charleston Law Review. 7: 489.
↑ "Stupid Employer Countersues Fired Pregnant Employee For Checking Facebook". The Spitz Law Firm. Archived from the original on 2014-04-07. Retrieved 2014-04-07.

External links

Text of Lee v. PMSI, INC. is available from: Justia Justia Docket Report

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[case-1] Lee v. PMSI, Inc., U.S. (District Court for the Middle District of Florida, Tampa Division2011).

[harvard-2] 1 2 3 "Statutory Interpretation - Computer Fraud and Abuse Act - Ninth Circuit Holds That Employees' Unauthorized Use of Accessible Information Did Not Violate the CFAA - United States v. Nosal". Harvard Law Review. 126: 1454. 20 March 2013.

[tlnt-3] 1 2 3 4 5 Greco, Michael. "Court: Using Facebook at Work Does Not Violate Computer Fraud Act". TLNT. Retrieved 4 March 2014.

[volokh-ninth-4] Kerr, Orin (28 April 2011). "Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use "Exceeds Authorized Access" (Making It a Federal Crime)". The Volokh Conspiracy. Retrieved 4 March 2014.

[infosec-5] 1 2 3 4 5 Santalesa, Richard. "Use of Facebook at Work Does Not Violate the CFAA" . Retrieved 4 March 2014.

[volokh-6] 1 2 3 4 5 6 Kerr, Orin (17 May 2011). "Employer Sues Former Employee For Checking Facebook and Personal E-Mail and "Excessive Internet Usage" at Work". The Volokh Conspiracy. Retrieved 11 February 2014.

[eff-7] Hofmann, Marcia (30 December 2011). "2011 in Review: Hacking Law". Electronic Frontier Foundation. Retrieved 4 March 2014.

[charleston-8] Patterson, Kelsey (2012). "Narrowing It down to One Narrow View: Clarifying and Limiting the Computer Fraud and Abuse Act". Charleston Law Review. 7: 489.

[spitz-9] "Stupid Employer Countersues Fired Pregnant Employee For Checking Facebook". The Spitz Law Firm. Archived from the original on 2014-04-07. Retrieved 2014-04-07.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]