Tech Industry

Word to the wise if you quit in a huff

Eric J. Sinrod explains how a computer crime law will affect departing and disloyal employees.

One of employers' biggest fears is that departing and disloyal employees will take advantage of access to company computer systems after announcing their resignations. To deal with this problem, employers now are resorting to relief under the Computer Fraud and Abuse Act (CFAA), which originally was a criminal statute designed to combat unauthorized access to government computers. Over time, the CFAA has been amended to allow for civil liability and to provide for remedies such as monetary damages and injunctive relief.

The recent case of International Airport Centers v. Citrin, decided by the United States Court of Appeals for the Seventh Circuit, is an interesting example of how employers are using the CFAA to take the legal offensive. The defendant, a man named Jacob Citrin, was employed by the plaintiffs--a collection of affiliated companies engaged in the real estate business--to identify potential acquisition properties. The companies loaned a laptop to Citrin to record data that he collected during the course of his work.

Citrin ultimately decided to quit and go into business for himself, apparently in breach of his employment contract, according to IAC. Before returning the laptop to the companies, Citrin deleted all of the data he had collected--but he also deleted data that would have revealed improper conduct before deciding to quit, IAC claimed. He caused this deletion using a secure-erasure program making it impossible to recover the deleted information, it asserted.

The Citrin case very well could be one of many soon to be launched by employers under the CFAA. The statute provides many advantages to employers.

IAC brought suit against Citrin, relying on the provision of the CFAA which provides that whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization to a protected computer," violates the statute, making the remedies of the CFAA available.

Citrin argued in his defense that merely erasing a file from a computer is not a "transmission" under the CFAA. While pressing a delete or erase key does transmit a command, Citrin asserted that it would be stretching the statute too far to consider simple typing on a computer keyboard to be a form of transmission just because it transmits a command to the computer.

The appellate court disagreed. It noted that more was involved than the transmission of the secure-erasure program to the computer. Under the CFAA, the court said, a program intended to cause damage to computer files includes "any impairment to the integrity or availability of data, a program, a system, or information" transmitted electronically to a computer.

The court determined that Congress intended the CFAA to address not only attacks from the outside, but also "attacks by disgruntled programmers who decide to trash the employer's data system on the way out." In this case, the court held that Citrin's authorization to access the laptop terminated when he decided to quit IAC in violation of his employment contract and destroyed incriminating files that were the property of the companies.

The Citrin case very well could be one of many soon to be launched by employers under the CFAA. The statute provides many advantages to employers.

First, cases under the CFAA can be brought in federal court, and employers can avoid restrictive noncompete and unfair competition laws. Second, employers can bring actions under the CFAA without having to prove that the information at issue constituted trade secrets or is confidential and proprietary. The CFAA does require damages of more than $5,000 in any one-year period caused by a violation for a lawsuit to be brought; however, damage assessments, security updates and restoration and replacement costs can be included to reach this amount.