As a managing director of acquisitions for International Airport Centers (IAC), an Illinois-based company that locates warehouse space for shipping companies near airports, Jacob Citrin's job was to scout new properties and acquire them for his company. To facilitate this, IAC gave Citrin a laptop to record information about potential acquisitions.
Unbeknownst to IAC, Citrin began concocting plans to take some of the knowledge he gained while working for IAC and start his own business. He soon quit IAC and turned over his laptop.
Company officials noticed files relating to Citrin's acquisitions were missing. Not even a thorough scan of the hard drive could turn up the documents.
Citrin had used a special piece of software that enabled a secure delete to render the information unrecoverable.
Suspicious that Citrin was misappropriating IAC's proprietary information in his new venture, IAC filed suit against him in 2003 alleging a breach of contract. Yet because Citrin scrubbed his hard drive, proving a breach of contract was nearly impossible. So IAC got creative. It decided to also sue Citrin under the federal Computer Fraud And Abuse Act (CFAA), alleging that his secure deletion constituted a violation of the law, which provides civil and criminal penalties. Congress enacted the CFAA in 1984 to reduce hacking of government computers. Over the past two decades, Congress has amended the statute to expand its application.
After the District Court rejected the claim, the 7th Circuit reinstituted the CFAA cause of action on March 8 and remanded the case.
This decision has established a new precedent, one that empowers employers with a new weapon to wield against departing employees who steal proprietary information and erase the evidence.
"This decision has further broadened the CFAA and gives an independent cause of action that allows the employer to go after former employees just by virtue that they have used a computer program to completely erase files," says Norma Zeitler, a partner at Barnes & Thornburg in Chicago.
The 7th Circuit's decision further broadens a statute that, over the past two decades, has become increasingly far-reaching.
"When the CFAA was first written back in the 1980s, it was intended to be a national security statute, making it a federal crime for someone to hack into a federal computer and do something bad," says Brent Caslin, a partner at Kirkland & Ellis in Los Angeles. "It has been amended several times over the years and slowly went from being a statute that criminalized hacking into government computers to applying to anything."
At issue in IAC v. Citrin were two provisions of the CFAA. The first was a question of authorization. Under the CFAA, a violation must consist of someone intentionally accessing a protected computer without authorization. Because Citrin was an employee and the company willingly granted him access to the computer, IAC's counsel had to find a way to convince the court that Citrin's computer use was unauthorized.
"The minute the employee starts acting on his own and doing his business rather than the employer's, he has no right of access as defined by the statute because he is now adverse to his employer," says Don Reuben, who represented IAC and is of counsel at Kane & Carbonara. "That's how the judge dealt with the issue."Defining Transmission
The other issue was that of transmission. Prior to this case, courts typically viewed "transmission" under the CFAA to apply to damage rendered via the Internet, such as viruses and worms. Yet it was likely that Citrin used a piece of software, not the Internet, to accomplish the secure delete. In response to this possibility, the 7th Circuit clarified the definition of transmission, and in doing so expanded its applicability.
"In this case it actually includes somebody who loads a program onto a computer, either through an external drive, an internal drive or the Internet," says Michael Wexler, a partner at Seyfarth Shaw.
By expanding the definition of transmission and clarifying authorization, the 7th Circuit broadened the scope of the CFAA. Now employers in the 7th Circuit that want to collect damages against an employee who engaged in misconduct have a new weapon of recourse if the employee deleted the evidence of his or her wrongdoing.
"When an employee or former employee does something like delete all of his or her files, essentially the employee has taken away all the evidence that the employer had to prove any misconduct before the employee left," Zeitler says. "Now this Act allows employers to file civil action and collect compensatory, injunctive and equitable relief."
However, the ruling doesn't apply in all situations where an employee deletes files from a company computer. Whereas deleting company information may constitute a violation of the CFAA, the deletion of an employee's personal information may not.
"If someone is leaving an organization, it is one thing to pull off your personal files, like your r?sum? or the March Madness office pool," Wexler says. "But when someone takes a software program and runs it to deliberately destroy information, you have to wonder why someone is doing that."
Although deletion of employees' personal files isn't barred under CFAA, it is likely that the statute will continue to broaden in scope.
"This case further refines exactly how you define destruction, authorization and transmission," Wexler says.