Former Employee's Data Deletion on Company Computer Constituted a Violation of Federal Law
The U.S. Court of Appeals for the Seventh Circuit recently addressed how employers can protect themselves against the misuse, deletion and destruction of valuable company information stored on employer-owned computers. In International Airport Centers, LLC v. Citrin, an employer sought to hold its employee liable under the Computer Fraud and Abuse Act ("CFAA"), the federal statute enacted to protect companies from destructive and fraudulent acts to their computers. The Act provides for civil and criminal penalties against an individual who "knowingly causes the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer..."
International Airport Centers ("IAC"), a company engaged in the real estate business, hired Citrin to identify properties for possible purchase by IAC, and loaned Citrin a laptop to record the data that he collected in the course of his work. Citrin decided to leave the company and start his own business. Before returning the computer to his employer, Citrin deleted the proprietary data he had obtained on IAC's behalf. He did not merely press delete; he installed a "secure-erasure program" which wrote over deleted files and prevented data recovery. The employer did not have another source or duplication of the deleted information.
When IAC filed suit against Citrin claiming that his deletion of files violated the CFAA, Citrin contested liability, arguing that act of erasing a file did not qualify as a "transmission". The Seventh Circuit disagreed and found that the act of downloading a secure-erasure program with the intent to damage the computer's files was, in fact, a "transmission" in violation of the Act. The court relied on the statutory language "includ[ing] 'any impairment to the integrity or availability of data, a program, a system, or information'" in reaching this decision, and made a special distinction between the mere deletion of information or removal of index entries and pointers to the data files, and the actual download of a secure-erasure program. Because Citrin's download of the secure-erasure program caused damage through the deletion of important proprietary information, he committed a "transmission" and violated the Act. The court also noted that it would be reluctant to find a "transmission" solely in an act such as pressing the delete or erase button.
This case serves as a reminder that employees who violate the CFAA can be assessed penalties. Employers would be wise to check computers returned from departing employees to determine whether any secure-erasure programs or viruses were downloaded, or whether the employee improperly deleted proprietary data or related information.
Schiff Hardin LLP