Seventh Circuit Finds Departing Employee Liable for the Deletion of Data from Company-Issued Computer under the CFAA
- United States
- 06/09/2006
- Arent Fox PLLC
Jacob Citrin was a managing director of International Airport Centers, L.L.C. (“IAC”), a real estate company. Citrin was responsible for identifying properties that IAC might want to acquire and then assisting with their acquisition. He was issued an IAC laptop to record valuable data about those properties. Citrin resigned from IAC and – in violation of his employment agreement – started a competing business. After he resigned, he deleted data from IAC’s laptop by loading a secure-erasure program that was specifically designed to prevent the recovery of deleted files. IAC brought suit against Citron alleging, among other things that the use of a secure-erasure program to delete files was a direct violation of the CFAA. A federal district court dismissed the suit for failure to state a claim, but the Seventh Circuit reversed, and in a decision written by Judge Richard Posner, reinstated IAC’s suit against Citrin.
Elements of the CFAA Claim against Citrin
Passed in 1984, the CFAA provides criminal and civil penalties for the intentional access to a computer without authorization or the acquisition of information from a computer by exceeding authorized access. 18 U.S.C. §1030. The CFAA is increasingly used when an employee has decided to switch jobs and retains access to the current employer’s computer system after he or she accepts a job at another company. In this situation, both the departing employee and the new employer can be sued under the CFAA if they sought a competitive advantage through the unauthorized use or access of information from the current employer’s systems.
A claim exists under the CFAA when someone “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” 18 U.S.C. §1030(a)(5)(A)(i). A company-issued laptop constitutes a “protected computer” under the CFAA. Here, IAC’s claim turned on two issues: (1) the definition of the term “transmission”; and (2) whether damage occurred in light of a “return or destroy” policy.
The first issue is complicated by the fact that the statute does not define what constitutes a “transmission.” In dismissing IAC’s claim, the district court adopted a literal interpretation, deciding that a “transmission” required shipment or delivery. The Seventh Circuit disagreed, ruling that any method of electronically transmitting information to a computer qualified as a “transmission, regardless of whether the information was downloaded from a disk or the Internet. In Judge Posner’s opinion, this was not simply the case of someone hitting the “delete” key, where the file would remain on the hard drive and could subsequently be recovered. Rather, the sole intent of a secure-erasure program was to preclude future access to deleted files. Thus, downloading and running a secure-erase program satisfied the CFAA’s “transmission” requirement.
On the second issue, the court determined that the permanent deletion of files is sufficient damage to fall in the CFAA’s definition, which includes any “impairment to the integrity or availability of data, a program, a system or information.” §1030(e)(8). Relying on the Congressional intent to prevent the intentional destruction of computer data, the court held that damage is done when data is permanently deleted from a computer, regardless of the method of destruction.
The Court Ignored the Express Language of an Employment Contract
In addition, the Seventh Circuit disregarded the express language found in Citrin’s employment contract, which authorized him to “return or destroy” data in the laptop when he ceased to be an IAC employee. Relying on an agency theory that was not advanced by either party, the court held that Citrin’s actions could violate the CFAA, despite this contractual language, since his actions were taken without the necessary authorization. Essentially, the court found that Citrin was authorized to access the laptop based only on the agency relationship that existed between him and IAC – a relationship that mandates that an agent owes his principle a duty of loyalty. According to Judge Posner, Citrin breached this duty of loyalty when, “having already engaged in misconduct and [having decided] to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of [IAC].” Thus, Citrin’s authority to access the laptop ended once Citrin breached his duty of loyalty and terminated the agency relationship. Once Citrin was no longer an IAC agent, he could no longer access the laptop or claim any rights under the employment contract (including the right to “return or destroy” data).
Employer Use of the CFAA
The CFAA is increasingly becoming an attractive weapon for employers in disputes with disloyal employees, especially as the use of laptops and PDA’s becomes commonplace. Importantly, the law provides a mechanism for employers to use the federal courts in suits against disgruntled employees. By providing federal question jurisdiction, employers using the CFAA can avoid the narrow construction often given non-compete agreements and unfair competition laws in many state courts. Moreover, employers do not have to show that the information that was accessed wrongfully was a trade secret or that the process of obtaining the information breached a confidential, proprietary, or non-compete agreement.
International Airport Centers underscores the importance of protecting confidential information and serves as a useful reminder for employers to notify their employees of company policies regarding the use of computer equipment, the destruction of company property, and the use of confidential or proprietary information. Consequently, employers concerned with the protection of their confidential information should take steps to ensure that all employees are required to return all company data and other property immediately upon request or the termination of employment.
Michael Stevens
202.857.6382
[email protected]
Marcy L. Karin
