Targeting "Excessive" Social Media Use as Violation of Computer Fraud & Abuse Act Misses the Mark
A Computer Fraud and Abuse Act Claim (CFAA) against a former employee based on "excessive Internet usage," including visiting Facebook was recently dismissed by a Federal District Court in Florida.
Specifically, in Lee v. PMSI, Inc., the former employer claimed Wendi Lee, engaged in "excessive Internet usage" and visited "personal websites such as Facebook" and sent and reviewed her "personal web mail account. PMSI filed the CFAA claim after Ms. Lee sued for pregnancy discrimination.
Before shooting down PMIS's CFAA claim, the Court set the stage by noting:
The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to "access and control high technology processes vital to our everyday lives .... Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the Internet instead of working.
Against, this backdrop, the Court quickly picked apart PMSI's claim:
- First, a critical element for a CFAA claim involves "unauthorized access." PMSI, however, expressly admitted that it knew of Ms. Lee's excessive computer/Internet usage while she was employed and never terminated her authorization to use her work computer.
- Second and building upon the preceding point, PMSI made no reference to any express computer policy that Ms. Lee violated. Instead, the employer compared Ms. Lee's computer usage to two other employees in her department and argued that this discrepancy transformed acceptable Internet usage into a violation of the Computer Fraud and Abuse Act.
- Third, another required element is a loss in excess of $5,000. PMSI argued "dubiously" (court's description) that Ms. Lee caused PMSI "financial losses in excess of $5,000, due to her lack of productivity. The Court flatly rejected that "loss" under the CFAA should include lack of productivity.
- Fourth, obtaining or altering information on a protected computer is also a required element. But Ms. Lee accessed her Facebook, personal email, and news websites, i.e., information not on PMSI's computer system. Thus, Ms. Lee never "obtained or alter[ed] information" on a "protected computer."
Practical Considerations in Applying the Computer Fraud and Abuse Act to the Employment Relationship
From a practical perspective, one estimate has over 116,010,760 Americans on Facebook. Facebook itself estimates having over 500 million active users with 30% of this consisting of U.S. residents. Taking these numbers at face value, a recent survey identified that 77% of workers who have a Facebook account use it during work hours.
So following PMSI's logic and only considering Facebook (as opposed to other non-work web browsing), at any given moment a significant number of American employees are violating a criminal statute while accessing Facebook at work. This remains true even if the number of Facebook users is lowered to account for those who are not employed. And if you include accessing and monitoring March Madness or Fantasy Football stats on employer time, well I would have to exercise my Fifth Amendment rights against self-incrimination.
The Take Away for Employers and Employees
Extension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary.
There are certainly compelling factual situations where a Computer Fraud and Abuse Act claim against a current or former employee falls squarely within the scope and purpose of the statute. And Courts have reached a range of results favorable to employers when it comes to such claims involving employmee/employer related facts. PMSI's CFAA claim, however, does not come within a gunshot of falling in that range.