An employee who deleted all the data on a company computer and installed a secure-erasure program to guarantee deleted files could not be found after he left the company can be held liable for a violation of the Computer Fraud and Abuse Act, the U.S. Court of Appeals for the Seventh Circuit ruled March 8 (Int'l Airport Centers v. Citrin, 7th Cir., No. 05-1522, 3/8/06).

Reviving corporate real estate company International Airport Centers' case against its former managing director, Jacob Citrin, under the CFAA and various state law torts and contract claims, the Seventh Circuit said that Citrin violated the CFAA by deleting files after he breached his employment contract with the Highland Park, Ill., company, because the "transmission" of the secure-erasure program made recovering files impossible.

The Seventh Circuit was interpreting the CFAA, an anti-hacking law, which states that whoever "causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer [a defined term that includes the laptop that Citrin used]," violates 18 U.S.C. § 1030(a)(5)(A)(i).

Citrin argued that there was no "transmission" because all he did was hit the "delete" button, but the Seventh Circuit found the loading of the secure-erasure program satisfied the "transmission" requirement and fulfilled congressional intent to go after both computer viruses and disgruntled, internal programmers. The court also rejected the contention that only Internet-based "transmissions" were covered by the law.

"If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever 'intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage' violates the Act … it can't make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD," Judge Richard A. Posner wrote for the court.

Installed Secure-Erasure Program.

Citrin worked for IAC as a managing director. He was responsible for identifying properties that IAC might want to acquire and assisting in acquisitions. IAC gave Citrin a laptop to use to record data that he collected in the course of his work in identifying potential acquisition targets.

After deciding to quit IAC and go into business for himself--in breach of his employment contract--Citrin deleted all the data in the laptop computer. That data included not only the data that he had collected as part of his job but also data that could have revealed to IAC improper conduct in which he had engaged before he decided to quit.

Beyond performing a basic delete which would have removed the files but made them easily recoverable, Citrin took the additional step of loading a secure-erasure program which writes over the deleted files and prevents their recovery. IAC had no copies of the files that Citrin erased.

IAC sued Citrin under the CFAA, as well as for breach of contract, breach of fiduciary duty, trade secrets, and other claims. The U.S. District Court for the Northern District of Illinois rejected the claims.

Breach Means No Authorized Access.

In reversing the trial court, the Seventh Circuit said that in addition to Citrin's improper transmission, he also was not "authorized" to delete files even though his employment contract specifically said deletions were permitted. The Seventh Circuit concluded that by breaching his contract, he also gave up his right to delete files based on the wording of the now-breached contract.

"[H]is authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee," Posner said, referring to the "without authorization" language in 18 U.S.C. § 1030(a)(5)(A)(ii).

The court explained that the authorizing issue is important because CFAA differentiates between "without authorization" and "exceeding authorized access" and has differing levels of punishment related to the offense. "The difference between 'without authorization' and 'exceeding authorized access' is paper thin, but not quite invisible," Posner explained. The court added, however, that Citrin's breach of his duty of loyalty terminated his agency relationship and his authority to access the laptop. Given he had no authority, the former provision applied.

On the question of the employment contract permitting Citrin to "return or destroy" data in the laptop when he "ceased" employment, the Seventh Circuit again relied on the contract and duty of loyalty breach to finding the argument unpersuasive.

"[I]t is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have--if only to nail Citrin for misconduct," Posner explained.

The Seventh Circuit added that there may be a dispute over whether the incriminating files Citrin destroyed contained "confidential" data, but that issue should be left up to the trial court.

Judges Ann Claire Williams and Diane S. Sykes joined in the decision.

Don H. Reuben of Kane, Carbonara & Mendoza in Chicago represented IAC. Ronald L. Marmer of Jenner & Block in Chicago represented Citrin.

By Michael R. Triplett