Deleting
data violates law
By
David Ziemer
Wisconsin Law Journal
March
15, 2006
| What
the court held Case:
International Airport Centers, L.L.C., v. Citrin, No. 05-1522. Issue:
Does an employee violate the Computer Fraud and Abuse Act by erasing all the data
from a laptop loaned to him by his employer? Holding:
Yes. Using a secure-erasure program is a "transmission" that damages the computer,
and is thus, within the ambit of the Act. |
The
Computer Fraud and Abuse Act’s (CFAA) prohibition on transmitting a program,
in order to damage a computer, includes erasing all the data from a laptop.
The
Seventh Circuit’s Mar. 8 opinion also held it doesn’t matter whether
the perpetrator has physical access to the computer or damages it from a remote
location.
According
to the complaint, Jacob Citrin was employed by International Airport Centers,
L.L.C. (IAC), a real estate company, to identify properties that IAC might want
to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop
for his use.
Citrin
decided to quit IAC and go into business for himself, in breach of his employment
contract. Before returning the laptop, however, he deleted all the data in it,
including data that purportedly would have revealed improper conduct on his part
to IAC.
Citrin
did not merely delete the files with the “delete” key, but loaded a
secure-erasure program into the computer that writes over the deleted files, and
prevents their recovery. IAC had no other copies of the files that Citrin erased.
IAC
brought suit in Illinois federal court, alleging a number of claims, including
claims pursuant to the CFAA, which provides that whoever “knowingly causes
the transmission of a program, information, code, or command, and as a result
of such conduct, intentionally causes damage without authorization, to a protected
computer,” violates the Act. 18 U.S.C. 1030(a)(5)(A)(i).
The
district court dismissed the complaint, and IAC appealed. The Seventh Circuit
reversed, in a decision by Judge Richard A. Posner.
The
court agreed with Citrin that it “might be stretching the statute too far”
to consider any deletion to be a “transmission,” merely because the
actor transmits a command to the computer. However, the court found that Citrin’s
conduct went beyond that.
The
court also acknowledged that it did not know whether the erasure program was downloaded
from the Internet or copied from a floppy disk or CD.
However,
the court found the distinction irrelevant, reasoning, “In either the Internet
download or the disk insertion, a program intended to cause damage … is transmitted
to the computer electronically.”
Another
distinction the court acknowledged is that transmission via disk requires physical
access, while transmission via the Internet does not.
The
court noted that the latter long-distance attacks could be more difficult to detect,
and thus, to deter and punish. On the other hand, an inside attack, while easier
to detect, is easier to accomplish.
Again,
the court found the distinction irrelevant: “Congress was concerned with
both types of attack: attacks by virus and worm writers, on the one hand, which
come mainly from the outside, and attacks by disgruntled programmers who decide
to trash the employer’s data system on the way out.”
The
court thus concluded, “If the statute is to reach the disgruntled programmer,
which Congress intended …, it can’t make any difference that the destructive
program comes on a physical medium, such as a floppy disk or CD.”
The court
added that Citrin also violated sec. 1030(a)(5)(A)(ii), which makes it a violation
to “intentionally access[] a protected computer without authorization, and
as a result of such conduct, recklessly cause[] damage.”
The
court found, “his authorization to access the laptop terminated when, having
already engaged in misconduct and decided to quit IAC in violation of his employment
contract, he resolved to destroy files that incriminated himself and other files
that were also the property of his employer, in violation of the duty of loyalty
that agency law imposes on an employee (cites omitted).”
Noting
a difference in terminology within the CFAA — “without authorization”
in the subsections Citrin was alleged to have violated; and “exceeding authorized
access” in other subsections — the court called the distinction “paper
thin, but not quite invisible.”
Finding
Citrin’s actions to fall within the “without authorization” category,
the court concluded, “Citrin’s breach of his duty of loyalty terminated
his agency relationship … and with it his authority to access the laptop,
because the only basis of his authority had been that relationship (cites omitted).”
Accordingly,
the court reversed, with instructions to reinstate the suit.
Click
here for Case Analysis.
David
Ziemer can be reached by email.
