X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Last month, the 7th U.S. Circuit Court of Appeals, in an opinion written by Judge Richard A. Posner, issued an important decision that provides added vitality to the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030, for companies whose computer data may be destroyed by an insider. International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). [ NLJ, March 20.] This article will review that opinion and its significance to any company that is serious about protecting its computer data from disgruntled employees or company insiders who leave to compete. International Airport Centers LLC (IAC), a real estate company, sued its former employee, Jacob Citrin, who resigned to compete against IAC in violation of his employment contract. Citrin’s job had been “to identify properties that IAC might want to acquire, and to assist in any ensuing acquisition.” Id. at 419. IAC provided Citrin with a company laptop computer “to use to record data that he collected in the course of his work in identifying potential acquisition targets.” Id. Prior to returning the laptop computer to IAC after his resignation from IAC, Citrin deleted all of the data contained on the laptop. The data deleted were “not only the data that he had collected [in pursuit of IAC's real estate business] but also data that would have revealed to IAC the improper conduct in which he had engaged before he decided to quit.” Id. This deletion was accomplished with a special erasure software program that made the data unrecoverable from the laptop. CFAA allows for civil actions over data damage The CFAA, a federal criminal statute, outlaws a variety of illegal acts directed against computers, including destroying data. The statute also provides that anyone aggrieved by a violation of the statute can bring a civil action against the perpetrator for damages and an injunction. 18 U.S.C. 1030(g). Based on Citrin’s deletions of data from the laptop, IAC sued Citrin under two provisions of the CFAA outlawing the destruction of data. IAC sued Citrin for a violation of � 1030(a)(5)(A)(i), which provides that whoever “knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer” commits a crime. IAC also sued Citrin for a violation of � 1030(a)(5)(A)(ii), which provides that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” commits a crime. The federal district court dismissed IAC’s suit for failure to state proper claims. The 7th Circuit reversed. Prior to International Airport Centers, the only circuit court decision addressing whether an insider was subject to these two data-destruction CFAA provisions was U.S. v. Middleton, 231 F.3d 1207 (9th Cir. 2000). Middleton affirmed the conviction of a disgruntled information technology employee who destroyed data in his former employer’s computer network. That case did not directly address whether the CFAA applies to insiders as well as hackers, but held that these sections protected computers belonging to business entities as well individuals. International Airport Centers, particularly in the civil arena, goes beyond Middleton in clarifying and strengthening the reach of the CFAA to computer data destroyed by insiders. First, the court interpreted the word “transmission” in � 1030(a)(5)(A)(i) to include not only a long-distance malicious signal sent by a hacker over the Internet, but also a signal sent to a computer by an insider like Citrin who used an erasure software program directly connected to the computer. Analyzing the technology at issue, Posner found that it was irrelevant whether “the [erasure] program was downloaded from the Internet or copied from a floppy disk (or the equivalent of a floppy disk, such as a CD) inserted into a disk drive that was either inside the computer or attached to it by a wire.” 440 F.3d at 419. As Posner wrote, “[t]he only difference, so far as the mechanics of transmission are concerned, is that the disk is inserted manually before the program on it is transmitted electronically to the computer.” Id. However, Posner emphasized that “[t]he difference vanishes if the disk drive into which the disk is inserted is an external drive, connected to the computer by a wire, just as the computer is connected to the Internet by a telephone cable or a broadband cable or wirelessly.” Id. at 419-20. Posner distinguished the technical results accomplished by the erasure program from the simple tapping of a computers’ deletion key, which “does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands.” Id. at 419. Because “[s]uch ‘deleted’ files are easily recoverable,” there is no violation of the CFAA. Id. Relying on the CFAA’s definition of “damage,” in � 1030(e)(8), to mean “any impairment to the integrity or availability of data, a program, a system or information,” the court concluded that the violation occurs when data are permanently eliminated from the computer. Whether this permanent deletion of data results from a hacker’s use of a virus or an insider’s, like Citrin’s, use of an erasure program is irrelevant, since “Congress was concerned with” the intentional destruction of computer data. Id. at 420. The only practical difference between the two, as Posner pointed out, was that “[s]uch long-distance attacks can be more difficult to detect and thus to deter or punish than ones that can have been made only by someone with physical access, usually an employee.” Id. “The inside attack, however, while easier to detect may also be easier to accomplish.” Id. Second, a critical element of most CFAA violations is “unauthorized access” to the computer. International Airport Centers is the first circuit court case to hold that “unauthorized access” is established when an employee accesses the computer for a purpose disloyal and adverse to his or her employer. Posner followed Shurgard Storage Centers Inc. v. Safeguard Self Storage Inc., 119 F. Supp. 2d 1121, 1123, 1125 (W.D. Wash. 2000), which relied on the Restatement of Agency (Second), � 112, 387 (1958), to hold that when an employee violates his duty of loyalty, he voids his agency relationship with his employer, thereby terminating his authority to access the employer’s computer, “because the only basis of his authority [to access the computer] had been that [agency] relationship.” 440 F.3d at 421. ‘Shurgard’ rule has been gaining acceptance The 3d Circuit recently cited Shurgard in dicta in recognition of the trend that the CFAA is increasingly being used by employers to sue former employees who steal their employer’s data to use against their employers in competition. P.C. Yonkers Inc. v. Celebrations the Party and Seasonal Superstore LLC, 428 F.3d 504, 510 (3d Cir. 2005). Other district courts have followed the Shurgard rule. See, e.g., Charles Schwab & Co. v. Carter, 2005 WL 351929, at 3 (N.D. Ill. 2005). International Airport Centers, however, is the first circuit opinion to adopt the Shurgard rule that authorization under the CFAA is premised on the law of agency. In finding that Citrin was not authorized to access IAC’s laptop, the court held that his authorization terminated when he “resolved to destroy files that incriminated himself and other files that were also the property of his employer,” thereby breaching his duty of loyalty to IAC. 440 F.3d at 420. Citrin’s breach of loyalty was premised on his destruction not only of the data that identified prospective real estate IAC might want to buy, but also the files that “incriminated” him in “improper conduct in which he had engaged before he decided to quit.” Id. at 419, 420. Court overruled language in employment contract The breadth of this finding of lack of authorization is underscored by the court’s refusal to credit the express language in Citrin’s employment contract permitting “him to ‘return or destroy’ data in the laptop when he ceased being employed by IAC.” Posner held that “it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have-if only to nail Citrin for misconduct.” Id. at 421. Posner speculated that “[t]he purpose of the provision may have been to avoid overloading the company with returned data of no further value, which the employee should simply have deleted,” and that “[m]ore likely the purpose was to remind Citrin that he was not to disseminate confidential data after he left the company’s employ” since “the provision authorizing him to return or destroy data in the laptop was limited to ‘Confidential’ information,” leaving open the “dispute over whether the incriminating files that Citrin destroyed contained ‘confidential’ data.” Id. International Airport Centers‘ message for companies concerned about protecting their computer data is clear: Whenever employees leave to compete, their computers should be searched not only to determine if they took data from the computers but also to determine whether they permanently deleted files. Also, while Posner readily dismissed Citrin’s claim that he had been authorized to destroy the data based on his employment agreement permitting such destruction, the best practice is to mandate in all agreements and company policies that data be returned immediately upon termination of employment. Nick Akerman is a partner in the New York office of Dorsey & Whitney who specializes in the protection of trade secrets and computer data.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.