Use of Facebook at Work Does Not Violate the CFAA

Tuesday, May 24, 2011

David Navetta


Article by Richard L. Santalesa

Every now and then I wonder what goes through the mind of some litigation parties and their respective attorneys.

Case in point the ongoing case of Wendi J. Lee v. PMSI, Inc., 8:10-cv-2904, out of the U.S. Middle District of Florida within the 11th Circuit Court of Appeals.

Ms. Lee filed suit against PMSI, her former employer, in Florida state court after being fired from her position as a Proposal Developer in PMSI’s Marketing Department. In her complaint she alleged violations by PMSI of Title VII of the Civil Rights Act and Florida’s analogous Civil Rights Act of 1992 (FCRA), for “discrimination because of pregnancy.”

After removing to federal court, PMSI moved to dismiss count 2 (the FCRA claim), which was denied, and then answered, which was in turn followed by an amended answer with a counterclaim “for violation of the Computer Fraud and Abuse Act, as amended by the Computer Abuse Amendments Act of 1994, 18 U.S.C. §§ 1030 and 2707.”

PMSI’s counterclaim maintained that “Lee’s internet usage substantially exceed the usage of her coworkers in the Marketing Department” and that such usage “exceeded her authorization to use the internet by accessing and spending large amounts of paid work time visiting personal websites such as Facebook . . . while on company paid time and from a company owned computer.”

The Court's Order in response struck PMSI's attempted use of the CFAA with prejudice.

In its counterclaim PMSI concluded that Lee's actions violated the Company’s Computer Usage Policy and that as to the necessary CFAA hook “[t]he Company suffered a loss from this unproductive time that Lee spent on these unauthorized websites” which “[a]s a direct and proximate result of the . . . conduct by Lee . . . suffered financial losses in excess of $5,000, due to her lack of productivity, as work that should have been performed by her had to be given to others and in wages paid to her.”

The Court's Order

In response, Ms. Lee moved to dismiss the counterclaim via a Motion to strike Defendant's Untimely Amended Pleading and Counterclaim or Alternativly [sic] to Dismiss Defendant's Counterclaim.

In a workmanlike six-page Order, U.S. District Judge Steven D. Merryday granted Ms. Lee’s motion and dismissed PSMI’s counterclaim with prejudice while reinstating PMSI’s original Answer.

Frankly, had the court held otherwise virtually every employee with computer access around the country – or rather, at least within the Middle District of Florida - would have been subject to a CFAA counterclaim if fired and thereafter attempting to sue in response.

Judge Merryday’s Order notes that “[t]he CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to ‘access and control high technology processes vital to our everyday lives....’ * * *  Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working.”

From this second paragraph of the Order it was all downhill for PMSI. In discussing PMSI’s attempted damages hook as to Lee’s alleged “lost productivity” due to surfing the Internet the court, and I can’t help but applaud the Judge’s ability to maintain a straight face in his prose, stated “[t]he defendant asserts (dubiously) that during her six months of employment, the plaintiff caused the defendant ‘financial losses in excess of $5,000, due to her lack of productivity . . .’ (Doc. 12) The definition of ‘loss’ contemplates damage to a system or data, rather than a lack of productivity.”

It’s one thing to argue zealously on behalf of one’s client; it’s quite another to attempt to stretch a statute, flawed as the CFAA is, to such lengths that an Acme Giant Rubber Band of the type favored by Wiley E. Coyote would snap.

In putting PMSI’s counterclaim to bed, the court further observed that:

“PMSI fails to show that the plaintiff ‘exceeded authorized access’ or obtained information from the computer. ‘Exceeds authorized access’ is defined as ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.' 18 U.S.C. § 1030(e)(6). The counterclaim alleges that the plaintiff visited only personal websites. (Doc. 12, Pages 6 and 7) Because the only information Lee allegedly accessed was on the personal websites, not PMSI’s computer system, Lee never ‘obtained or alter[ed] information in the computer.’ Lee accessed her facebook, personal email, and news websites but did not access any information that she was ‘not entitled so to obtain or alter.’"

Applying the final thrust, Lee’s actions may have violated the company’s usage policies, in the court’s view, but PMSI’s attempted shoehorning of her conduct into the CFAA was a distinct no-go.

And in a footnote aside, that fairly screamed READ THE STATUTE AND APPLICABLE CASE LAW NEXT TIME, the court dryly quipped, “18 U.S.C. § 1030(a)(2)(C) also requires that the information be obtained from ‘a protected computer’ which is defined as a computer ‘which is used in or affecting interstate or foreign commerce or communication.’ 18 U.S.C. § 1030(e)(2)(B). The defendant fails to allege that the plaintiff accessed a ‘protected computer.’"

And, with a final light touch, Judge Merryday closed with the backhand that “[e]xtension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary. See, e.g., United States v. Rybicki, 354 F.3d 124, 135 (2d Cir. 2003).


As we all know in litigation, to egregiously mangle a metaphor, sometimes the bear gets you and sometimes you get the bear. Here PMSI was more than "gotten" by the bear, as it were.

Thankfully so. Still, it's a lesson as to when aggressive or sloppy representation crosses over into mere aggravation for all concerned, particularly when the often troublesome CFAA is involved.

Cross-posted from InfoLawGroup

Possibly Related Articles:
Legal Social Media Employees Policies and Procedures Computer Fraud and Abuse Act CFAA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked