The Ninth Circuit recently ruled that an employee “exceeds authorized access” to his employer’s computer when he violates the employer’s Internet use restrictions: Given that federal law criminalizes exceeding authorized access, see 18 U.S.C. 1030(a)(2)(C), that would mean that every employee who surfs the Internet, checks Facebook, or logs in to personal e-mail from work is guilty of a federal crime if the employer’s workplace Internet use policy prohibits it. But surely no employee would ever be subject to a CFAA action for that kind of innocuous conduct, right?
Wrong, in light of Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla. 2011), handed down May 6. After Wendi Lee sued her former employer PMSI, Inc. for pregnancy discrimination, PMSI Inc. filed a counterclaim against Lee arguing that she had violated the CFAA because she engaged in “excessive internet usage” at work and “visit[ed] personal websites such as Facebook and monitor[ed] and [sent] personal email through her Verizon web mail account.” District Judge Merryday concluded that such conduct does not exceed authorized access to the employer’s computer in violation of the CFAA:
The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to “access and control high technology processes vital to our everyday lives….” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130–1131 (9th Cir.2009), citing 1131 H.R. Rep. 98–894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984). Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working. See, e.g., Intel Corp. v. Hamidi, 30 Cal.4th 1342, 1 Cal.Rptr.3d 32, 71 P.3d 296 (Cal.2003) (rejecting a claim of trespass to chattels after an employee used the company’s email system to transmit remarks disparaging the employer); Clarity Services v. Barney, 698 F.Supp.2d 1309, 1316 (M.D.Fla.2010) (expressing skepticism that an employee violates the CFAA by checking personal email at work).
. . . . PMSI fails to show that the plaintiff “exceeded authorized access” or obtained information from the computer. “Exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The counterclaim alleges that the plaintiff visited only personal websites. (Doc. 12, Pages 6 and 7) Because the only information Lee allegedly accessed was on the personal websites, not PMSI’s computer system, Lee never “obtained or alter[ed] information in the computer.” Lee accessed her facebook, personal email, and news websites but did not access any information that she was “not entitled so to obtain or alter.”
LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009), states that “for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.’ ” Because PMSI fails to allege that Lee’s authorization to use her work computer was terminated prior to her leaving the company, PMSI cannot show that Lee’s use of the computer was “without authorization.” Although Lee’s internet usage may violate company policy, 18 U.S.C. § 1030 is inapplicable.
. . . 18 U.S.C. § 1030 is a “criminal statute with a civil cause of action” and . . the rule of lenity “requires a restrained, narrow interpretation.” 698 F.Supp.2d at 1316. Extension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary. See, e.g., United States v. Rybicki, 354 F.3d 124, 135 (2d Cir.2003).