Legal Alert: Employers May Have a Remedy Under Federal Law Against Ex-Employees who Commit Computer Sabotage

Date   Mar 28, 2006
The Seventh U.S. Circuit Court of Appeals has held that an employer can pursue its claims under the Computer Fraud and Abuse Act (CFAA) against an employee who permanently deleted files on an employer-provided computer before he quit to start his own competing business.
The Seventh U.S. Circuit Court of Appeals has held that an employer can pursue its claims under the Computer Fraud and Abuse Act (CFAA) against an employee who permanently deleted files on an employer-provided computer before he quit to start his own competing business.  See International Airport Centers, L.L.C. v. Citrin (7th Cir. March 8, 2006).   The Seventh Circuit reversed a lower court's dismissal of the employer's claim against the employee and remanded the case for trial.  
In this case, the defendant, Citrin, was employed by International Airport Centers (IAC) to identify real estate IAC might want to acquire.  Citrin quit, allegedly in violation of his employment contract, to start his own competing business.  IAC had provided him with a laptop to record the data he collected during the course of his employment.  When Citrin quit, he deleted all the data on the computer - the real estate data he had collected and data that would have revealed to IAC improper conduct in which he had engaged before he quit.  Additionally, he used a secure-erasure program to write over the deleted files, which meant they could not be recovered. 
IAC sued him under the CFAA, which provides that whoever knowingly causes the transmission of a program (or information, code or command) and, as a result of such conduct, intentionally causes damage without authorization, to a protected computer violates the Act.  The Seventh Circuit held that the secure-erasure program was transmitted to the computer, for the purposes of the CFAA, regardless of whether it was transmitted over the Internet in the form of a virus or through a disk inserted in the computer's disk drive.  The court pointed out that Congress was concerned with preventing computer attacks that come from outside a company, such as through a virus, and those that come from inside the company, such as through a disgruntled employee with physical access to the employer's data system.
The court also held that Citrin's resignation, in violation of his employment agreement, terminated any authorization he had to access the laptop.  
Additionally, the court rejected Citrin's argument that his actions were permitted under a provision of his employment agreement that authorized him to return or destroy data on the laptop when his employment ended.  The court held that this provision was not intended to authorize him to destroy data that he knew the company did not have and would want, such as documentation of his misconduct before he quit.


Employers' Bottom Line:

The court's extension of the CFAA to the employment context means that employers who find themselves faced with acts of computer sabotage from disgruntled former employees may now have another weapon to use against such employees.   Additionally, some courts have permitted claims under the CFAA for misappropriation of trade secrets.  The CFAA permits prevailing employers to recover compensatory damages and obtain injunctive relief.  Additionally, the CFAA provides for criminal sanctions, including penalties and/or a prison sentence of up to ten years.  The recovery against those found to have violated the CFAA may be significant and can include cost of conducting a loss estimation, restoring the system to the condition it was in before the illegal act, and any lost revenue.  Thus, the potential of being held liable for a violation of the Act may deter many potential saboteurs.  
If you have any questions regarding the issues raised in this article, or any other labor or employment related questions, please contact the Ford & Harrison attorney with whom you usually work.