• Seventh Circuit Recognizes Computer Hacking Liability for Employees Who Erase Employers' Computer Files without Authorization
  • April 24, 2006 | Author: Craig S. Rutenberg
  • Law Firm: Manatt, Phelps & Phillips, LLP - Los Angeles Office
  • Recently, the U.S. Court of Appeals for the Seventh Circuit, in International Airport Ctrs., LLC v. Citrin, held that an employee may be held liable for violating the Computer Fraud and Abuse Act (the "CFAA") by using a special computer program to delete files from a laptop computer belonging to the employer.

    In this case, the employer, International Airport Centers, LLC ("IAC"), loaned defendant Jacob Citrin ("Citrin"), the managing director of IAC, a laptop for use during his employment. Citrin decided to quit his job and go into business for himself. Before returning the laptop to IAC, Citrin deleted all of the files and other data from the computer's hard drive, including data that apparently would have revealed improper conduct in which he had engaged before he decided to quit. Citrin also loaded a "secure eraser" program onto the computer to overwrite the deleted files. (Pressing the "delete" key on a computer to erase a file merely removes the index entry and pointers to the file, but does not affect the underlying data. A secure eraser program overwrites the deleted files, preventing their recovery.)

    IAC sued Citrin alleging, among other things, a claim for violation of the CFAA. The CFAA is the main federal computer hacking statute. To state a claim under the CFAA, a plaintiff must allege a knowing "transmission" of a "program, information, code, or command" to a "protected computer" which causes damage. The federal trial court in Chicago, IL initially dismissed IAC's CFAA claim on the grounds that the installation of a program which is designed simply to delete files from an individual computer does not constitute a "transmission" under the CFAA.

    The Seventh Circuit reversed and remanded the case to the trial court for further proceedings, holding that Citrin's installation of the secure eraser program on the computer constituted a "transmission" in violation of the CFAA. The Seventh Circuit explained that Citrin's conduct was "without authorization" within the meaning of the CFAA because Citrin's implementation of the destruction of IAC files after he decided to quit violated his duty of loyalty to his employer, IAC.

    This controversial decision expands the scope of the CFAA in Illinois, Indiana and Wisconsin (the states making up the Seventh Circuit) in a manner that gives employers additional leverage to combat the unauthorized use of company-owned computers by employees.