« The Journal begins its summer hiatus and announces its 2006-2007 Editorial Board. | Main | The Journal Resumes Publication, Announces New Members »

May 06, 2006

Delete at Your Own Risk: Application of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030

Written by Bradley C. Nahrstadt, Partner, Williams Montgomery & John Ltd.

On March 6, 2006, the 7th U.S. Court of Appeals issued an important decision that provides added strength to the Computer Fraud and Abuse Act (CFAA) for companies whose computer data is destroyed by disgruntled former employees. International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

The defendant in this case, Jacob Citrin, was employed by the plaintiff, a real estate company, as a property developer. Citrin was charged with the task of identifying properties that IAC might want to acquire and assist in any ensuing acquisition. In order to help him perform his job functions, IAC gave Citrin a laptop computer "to use to record data that he collected in the course of his work in identifying potential acquisition targets." Id. at 419. Some time after he began working for IAC, Citrin decided to quit and go into business for himself in violation of his employment contract. Before returning his laptop to IAC, Citrin deleted all the data in it - not only the data he collected, but also any and all data that would have revealed to IAC any improper conduct in which he had engaged before he decided to quit. Id. In order to accomplish this task, Citrin did more than simply hit the delete key. He loaded into the laptop a secure-erasure program, "designed, by writing over the deleted files, to prevent their recovery." Id.

Following Citrin's destruction of data on his laptop, and his departure from the company, IAC brought suit against Citrin pursuant to the CFAA. CFAA, a federal statute, outlaws a variety of illegal acts directed against computers, including the destruction of data. The statute, in addition to providing for criminal penalties, allows anyone who is aggrieved under the statute to bring a civil suit against the alleged perpetrator for monetary damages and injunctive relief. 18 U.S.C. § 1030(g). IAC sued Citrin in violation of § 1030(a)(5)(A)(i), which provides that whoever "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" commits a crime. IAC also sued Citrin for a violation of § 1030(a)(5)(A)(ii), which provides that whoever "intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage" commits a crime.

Citrin moved to dismiss IAC's complaint, arguing that the plaintiff had failed to state a cause of action. The district court agreed, and entered an order dismissing IAC's complaint. IAC then appealed to the 7th Circuit Court of Appeals.

In voting to reverse the dismissal of IAC's complaint, the court recognized that the word "transmission", as used in § 1030(a)(5)(A)(i) of the Act, encompasses more than the transmission of a long-distance virus over the Internet. According to the court, Citrin's use of a software erasure program directly connected to the computer constituted a "transmission" under the Act. According to Judge Posner, "Congress was concerned with both types of attack: attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer's data system on the way out... on the other." Id. at 420. As long as the destruction of the data is permanent, a violation of the Act occurs, regardless of the exact nature of the deleting transmission. Id.

Judge Posner recognized that there is a second step in the CFAA analysis. In order for there to be a violation of the Act, the perpetrator must also have engaged in "unauthorized access" of the computer in question. According to Judge Posner, IAC satisfied this prong of the analysis since Citrin's "... authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee." Id. By so holding, the 7th Circuit Court of Appeals became the first circuit court to hold that "unauthorized access" is established when an employee accesses a computer for a purpose that is disloyal or adverse to his employer.

What is particularly interesting about this opinion is the fact that the court refused to give credence to the express language in Citrin's employment contract that allowed him to "return or destroy" data on the laptop when he returned it to IAC. According to Judge Posner, it was highly unlikely, "to say the least, that the provision was intended to authorize [Citrin] to destroy data that he knew the company had no duplicate of and would have wanted to have if only to nail Citrin for misconduct... More likely the purpose was simply to remind Citrin that he was not to disseminate confidential data after he left the company's employ - the provision authorizing him to return or destroy data in the laptop was limited to "Confidential" information." Id. at 421.

International Airport Centers' message to corporations is clear: whenever an employee leaves, to work for a competitor or for other reasons, her computer should be searched not only to determine if she took confidential or proprietary information with her, but also to determine if, as a parting gift, she permanently deleted files that belonged to the company.

Posted by Editor In Chief in Corporate, Featured Articles, Technology |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c766d53ef00d834d2da9269e2

Listed below are links to weblogs that reference Delete at Your Own Risk: Application of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030:

Comments

Really it's great experience and we are great recruit hospital executives.

Posted by: Recruit Hospital Executives | December 29, 2008 at 06:00 PM

A reply from the Author:

It is fair to assume that deleting only personal information would not subject one to penalties under the Act. The question, however, becomes what is personal information? If it's information that the company could use to file a claim or bring some type of action against the former employee or is evidence of wrongdoing on the part of the former employee, simply labeling the information "personal" and then deleting it would not, in my opinion, protect the employee from the full reach of the Act. I think the better approach would be to indicate to the employer that certain personal information is on the computer (personal addresses, telephone numbers of friends, calendar entries, etc.) and the employee, who will soon be leaving, would like to have that information permanently deleted from the computer for privacy reasons. The employee should then work with the employer to make sure this happens.

Bradley C. Nahrstadt
Williams Montgomery & John Ltd.
20 N. Wacker Drive, Suite 2100
Chicago, IL 60606

Posted by: Jillian McClelland | August 31, 2006 at 03:21 PM

I have a quick question ... what if you secure erase your PERSONAL info and kept company info intact. Are you still liable?

Posted by: zzz | July 05, 2006 at 06:10 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

SEARCH







  		•

Invitation


  • We invite law professors, practitioners, and students to submit short articles for publication on this website. Simply email articles to the editors of the journal at buslaw@law.uiuc.edu. Moreover, if you have any ideas for topics or stories related to business law that we can cover, email them to us.

Comments


  • We strongly encourage readers to post comments or questions relating to a specific article or a topic covered by an article on the website. Just click on the "comments" link located in the post footer below each article. Be advised that the editors reserve the right to remove comments that contain abusive or foul language, advertisements, or spam.

DISCLAIMER


  • This journal is published by students of the University of Illinois College of Law. It is not a publication of the University of Illinois, and, therefore, the University of Illinois bears no responsibility for its content. Moreover, this Internet publication is prepared as an informational service only and should not be relied upon as legal advice. Lastly, although every attempt is made to ensure the information is accurate and timely, the information is presented "as is" and without warranties, either expressed or implied.

Recent Comments

Rights Reserved