“Transmission” Under CFAA (Computer Fraud and Abuse Act) Includes Deleting Files From Company Laptop Computer To Hide Improper Conduct
On March 8, 2006, the Seventh Circuit Court of Appeals considered whether an employer could pursue an action under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, against a former employee for securely erasing files from a company laptop computer before quitting and going into competition with his former employer. International Airport Centers, L.L.C. v. Citrin, 440 F.3d 418 (7th Cir. 2006). The provision at issue states that one violates CFAA if one “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer,” which includes company laptop computers. 18 U.S.C. § 1030(a)(5)(A)(i); Citrin, at 419. In his defense, the employee argued that his action of simply deleting computer files did not fall within the class of acts that would constitute a “transmission” within the meaning of CFAA. The district court agreed and dismissed the employer’s lawsuit. Id., at 418-19.
The Seventh Circuit reversed, explaining the issue at page 419 as follows:
[The employee] decided to quit . . . and go into business for himself, in breach of his employment contract. Before returning the laptop . . ., he deleted all the data in it – not only the data he had collected but also data that would have revealed to [the employer] improper conduct in which he had engaged before he decided to quit. Ordinarily, pressing the “delete” key on a computer (or using a mouse click to delete) does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands. Such “deleted” files are easily recoverable. But [the employee] loaded into the laptop a secure-erasure program, designed, by writing over the deleted files, to prevent their recovery.
Citrin held that loading the secure-erasure software – whether by disk over via the Internet – constituted a transmission within the meaning of CFAA. The Court’s reasoning is unassailable:
If the statute is to reach the disgruntled programmer, which Congress intended by proving that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, [citation], it can’t make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.
Citrin, at 420. The Court explained at page 420 that the employee had violated that provision of CFAA as well:
For [the employee’s] authorization to access the laptop terminated when, having already engaged in misconduct and decided to quite [the company] in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee. [Citations.]