Can surfing the Net on company time get you fired? Perhaps. Can it subject you to Federal criminal and civil penalties? Not yet. At least not in the Tampa, Florida area. Wendy Lee v. PMSI, 2011 WL 1742028 (M.D.Fla. 2011) illustrates a creative attempt to expand the reach of the Computer Fraud and Abuse Act (CFAA)(which, incidentally, will be the subject of some future posts). The CFAA, codified at 18 U.S.C. s. 1030, is a criminal statute with a civil component. It provides a private civil cause of action for anyone who sustains damage or loss as a result of an unauthorized user hacking into a computer system who then destroys, erases or transfers computer data. It also prohibits authorized users from accessing protected information and from exceeding the limits of their authorization. In this latter context, the CFAA is typically used by an employer when a rogue employee or “insider” accesses private employer computer data and sends the data to a competitor.
In PMSI, the Plaintiff filed a Federal pregnancy discrimination suit against her employer. The employer fired back with a counterclaim based on the CFAA – saying that the Plaintiff spent her workdays surfing the Internet and playing on Facebook. So egregious was the Plaintiff’s personal computer use, that the employer asserted a CFAA violation claiming the Plaintiff violated her employer’s published computer/Internet use policy.
The Court dismissed the CFAA count and said that while Facebooking at work may be a fireable offense; it does not subject one to Federal criminal or civil liability. The court gave a narrow reading to the CFAA and held that the statute did not apply to a private employee’s violation of an employer’s internet policy. Otherwise, the court said, every employee across the land who used a company computer to send and receive personal e-mails or who surfed the Net for non-work reasons could potentially be subject to Federal liability.
So, for now, Tampa area office workers can safely surf the net on company time without being subject to CFAA liability. Whether the same workers can be fired for violating an employer computer policy, is an issue for another day and perhaps another post.
Update (7.15.13): Recently, some proposed changes to CFAA were introduced by Zoe Lofgren and Ron Wyden, democratic congressman and senator from California and Oregon, respectively. These changes, known as “Aarons” law (named for the late internet activist Aaron Schwartz), are designed to narrow the reach of the CFAA so that the statute is only used to prosecute outside hackers, rather than criminalize every-day violations of private employer computer policies or Internet terms of use. Some helpful links follow.
http://www.wired.com/opinion/2013/06/aarons-law-is-finally-here/