Police blotter: Ex-employee sued for deleting files

Florida judge rules that permanently deleting files on a company-owned computer violates federal hacking law.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
Police blotter is a weekly News.com report on the intersection of technology and the law.

What: Pharmaceutical supplier sued former employee, claiming use of a secure file deletion utility violated federal hacking laws.

When: U.S. District Judge Richard Lazzara ruled on March 21.

Outcome: Temporary restraining order granted against ex-employee until court hearing on March 30.

What happened, according to court documents: Until recently, Scott Arledge was a senior vice president at PharMerica in Tampa, Fla., where he was responsible for more than 2,500 employees and oversaw much of the company's day-to-day operations.

On March 9, 2007, Arledge resigned to take a job as a vice president with Omnicare, PharMerica's primary competitor. Both companies are in the business of supplying equipment and supplies to long-term care facilities such as nursing homes and hospitals.

According to PharMerica's version of events, its former employee permanently deleted more than 475 files from his work computer two days before his resignation. That's based on a forensic examination of Arledge's company-issued Windows laptop by E-Hounds, a Florida data recovery firm.

In most operating systems, "deleting" a file removes only references to it in the directory structure but the file's contents can remain on the hard drive until they're eventually overwritten. Utilities like PGP, open-source programs such as Wipe, and a built-in feature in Apple's OS X called Secure Empty Trash can ensure the data has truly vanished.

PharMerica sued. Its complaint claims that Arledge violated the Computer Fraud and Abuse Act, a federal computer crime law, by deleting the files.

The CFAA says whoever "knowingly causes damage without authorization" to a networked computer can face civil and criminal liability. (It was intended to be used to prosecute computer hackers, but Congress did a sloppy job in drafting it.)

This isn't even the first time that the CFAA has been invoked against file-deleting employees. As Police Blotter was the first to report last year, the CFAA was successfully used in a 7th Circuit case against an employee who turned in his work laptop after using a "secure delete" utility.

In the PharMerica v. Arledge case, U.S. District Judge Richard Lazzara granted PharMerica's request for a temporary restraining order against its former employee and required it to post a $10,000 bond. Lazzara reasoned that "Arledge's actions have likely caused damage to PharMerica's electronic information and computer systems." The injunction remains in place until a hearing on March 30.

The case does have some twists. PharMerica claims that Arledge took confidential information with him by saving it to a USB drive and by e-mailing it to his personal AOL account, an allegation that likely swayed the judge to view deleting files as part of the same unlawful act. It's also only a preliminary ruling, meaning that Arledge's attorney will have a chance at the hearing to rebut the allegations against his client. Finally, PharMerica does not seem to be claiming that Arledge deprived the company of the only copy of the data; instead it's arguing the deletions were intended to "cover his tracks."

Although this case and the 7th Circuit's ruling last year deal with managers, the same logic applies to any employee who secure-deletes personal files from a work computer. A blog post from Bradley Nahrstadt, an Illinois attorney, says that "simply labeling the information 'personal' and then deleting it would not, in my opinion, protect the employee from the full reach" of the CFAA.

A better solution would probably be to save all personal files to a USB stick or portable hard drive that is not owned by your employer. Even better, use Web-based services for e-mail or bring your own laptop to work.

Excerpts from Lazzara's opinion: Shortly thereafter, PharMerica began examining its computers, including the laptop computer that Arledge used in his Tampa office. Stephen J. Myers, director of Windows and Communications Services at PharMerica, was directed to review Arledge's laptop computer. While reviewing the laptop, he determined that there were several thousand e-mails on the laptop but that the hard drive "C" drive was virtually empty. PharMerica also employed a forensic computer expert, Adam Sharp at E-Hounds, to examine the PharMerica computer that Arledge had been using at his Tampa office...

Arledge then permanently deleted, without authorization, over 475 files. Arledge also permanently deleted, without authorization, e-mails and other files to "cover his tracks" and deprive PharMerica of the benefit of the information contained in those files...

Arledge accessed PharMerica computers and permanently deleted files that he was not authorized to permanently delete. Arledge's actions damaged PharMerica in that they destroyed information and electronic data belonging to PharMerica, impaired PharMerica's access to its data, and caused PharMerica to incur substantial expenses to attempt to recover its information and electronic data. All of these actions tend to show a likelihood of success on PharMerica's claim brought under (the Computer Fraud and Abuse Act)...

Arledge's actions have likely caused damage to PharMerica's electronic information and computer systems in a loss exceeding $5,000. Such loss would include, but would not be limited to, expenses incurred to (a) examine the laptop computer that had been assigned to Arledge, (b) determine what files had been copied and deleted, and (c) attempt to restore information and electronic data Arledge destroyed or deleted.

For these reasons, not unlike similar cases where employers have pursued civil remedies under the CFAA against employers who "seek a competitive edge through wrongful use of information from the former employer's computer system," PharMerica would likely succeed in winning on the merits of this claim.