US Court Finds Employee Erasing Computer Files Violates Federal Anti-Hacker Law

In a recent case, the US Court of Appeals for the 7th Circuit applied a federal anti-hacker law, the Computer Fraud and Abuse Act (CFAA), to an employee's use of trace remover tools to delete data from a laptop provided to him by his employer, a real estate business, International Airport Centers LLC (IAC). Jacob Citrin (Citrin) was a managing director at IAC and his job was to identify properties that IAC might want to acquire and to assist in any later acquisition of them. As part of his employment, IAC provided Citrin with a laptop to use to record data that he collected in identifying potential acquisitions. When Citrin decided to quit IAC to go into business for himself, he deleted all data that he had collected from the laptop before returning it to IAC. It was also alleged that Citrin deleted data that would have revealed improper conduct on his part before he decided to leave IAC. Instead of merely deleting files with the "delete" function on the computer (which would have left the files recoverable), Citrin used a secure-erasure program designed to prevent recovery by writing over the deleted files. IAC did not have copies of the files that Citrin deleted. In its suit against Citrin in the US District Court, IAC relied on a provision of the CFAA which provides that whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" violates the CFAA (18 USC § 1030(a)(5)(A)(i)). The District Court dismissed the suit. On appeal, a three-judge panel of the Appeals Court reversed the decision and held that Citrin had violated this provision of the CFAA. Writing for the Appeals Court, Judge Richard Posner held that in enacting this legislation, Congress was concerned with both attacks by external threats, such as virus and worm writers, and also with internal attacks from disgruntled employees. The Appeals Court also held that Citrin violated 18 USC § 1030(a)(5)(A)(ii), which provides that whoever "intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage" violates the CFAA. For a copy the decision (International Airport Centers LLC et al v Jacob Citrin, No. 05-1522), visit: http://www.ca7.uscourts.gov/fdocs/docs.fwx?caseno=05-1522&submit=showdkt&yr=05&num=1522 For news coverage, visit these sites: http://www.techlawjournal.com/topstories/2006/20060308b.asp http://www.law.com/jsp/article.jsp?id=1143207012194; and http://www.wislawjournal.com/archive/2006/0315/data.html Summary by: Nick Wong