United States: "Novel Decision": Destroying Data on Employer’s Laptop Violates Federal Law

The federal Computer Fraud and Abuse Act (CAFA), the "anti-hacker" law, prohibits the unauthorized transmission of a program, information, code, or command intended to impair the integrity or availability of data on a computer. An important recent decision applies the law in a novel context: the case of an employee who, upon his departure from the company, destroyed company data. The decision provides employers with a newly recognized remedy under federal law and in federal court. International Airport Centers LLC v. Citrin, No. 05-1522 (U.S. Court of Appeals for the 7th Circuit, March 8, 2006; opinion by Judge Posner).

The employer in the case was engaged in the real estate business. The employee’s job was to identify properties the employer might want to acquire, and he stored the relevant data on the company-owned laptop that he used. The employee quit to go into business for himself. Before returning the laptop to the employer, he deleted the data with the use of a secure-erasure program designed to prevent its recovery.

The employer sued for damages under CAFA. The primary issue was whether there was a "transmission" within the meaning of that law. The Seventh Circuit Court of Appeals held that there was: while merely pressing the "delete" key did not constitute a "transmission," the use of the secure-erasure program did—whether downloaded from the Internet or inserted via diskette or CD-ROM, the program was transmitted to the computer electronically with intent to cause damage.

A secondary issue in the case was whether the employee’s conduct was authorized. The employee relied on language in his employment contract that allowed him to "return or destroy" data in the laptop when he ceased being employed. Not surprisingly, the court noted that this provision was not intended to permit the destruction of data that the employee knew the company needed. The provision could not immunize conduct that violated the employee’s duty of loyalty.

Faced with electronic tampering by employees or ex-employees acting out of spite or self-interest, employers should consider whether CAFA provides them with an additional remedy. The decision is also a reminder that employers should review and update their policies and procedures regarding the use of company-owned computer resources and equipment, including data security, preservation, access, and authorization.