What the court held
Case: International Airport Centers, L.L.C., v. Citrin, No. 05-1522.
Issue: Does an employee violate the Computer Fraud and Abuse Act by erasing all the data from a laptop loaned to him by his employer?
Holding: Yes. Using a secure-erasure program is a "transmission" that damages the computer, and is thus, within the ambit of the Act.
The Computer Fraud and Abuse Acts (CFAA) prohibition on transmitting a program, in order to damage a computer, includes erasing all the data from a laptop.
The Seventh Circuits Mar. 8 opinion also held it doesnt matter whether the perpetrator has physical access to the computer or damages it from a remote location.
According to the complaint, Jacob Citrin was employed by International Airport Centers, L.L.C. (IAC), a real estate company, to identify properties that IAC might want to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop for his use.
Citrin decided to quit IAC and go into business for himself, in breach of his employment contract. Before returning the laptop, however, he deleted all the data in it, including data that purportedly would have revealed improper conduct on his part to IAC.
Citrin did not merely delete the files with the delete key, but loaded a secure-erasure program into the computer that writes over the deleted files, and prevents their recovery. IAC had no other copies of the files that Citrin erased.
IAC brought suit in Illinois federal court, alleging a number of claims, including claims pursuant to the CFAA, which provides that whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer, violates the Act. 18 U.S.C. 1030(a)(5)(A)(i).
The district court dismissed the complaint, and IAC appealed. The Seventh Circuit reversed, in a decision by Judge Richard A. Posner.
The court agreed with Citrin that it might be stretching the statute too far to consider any deletion to be a transmission, merely because the actor transmits a command to the computer. However, the court found that Citrins conduct went beyond that.
The court also acknowledged that it did not know whether the erasure program was downloaded from the Internet or copied from a floppy disk or CD.
However, the court found the distinction irrelevant, reasoning, In either the Internet download or the disk insertion, a program intended to cause damage is transmitted to the computer electronically.
Another distinction the court acknowledged is that transmission via disk requires physical access, while transmission via the Internet does not.
The court noted that the latter long-distance attacks could be more difficult to detect, and thus, to deter and punish. On the other hand, an inside attack, while easier to detect, is easier to accomplish.
Again, the court found the distinction irrelevant: Congress was concerned with both types of attack: attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employers data system on the way out.
The court thus concluded, If the statute is to reach the disgruntled programmer, which Congress intended , it cant make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.
The court added that Citrin also violated sec. 1030(a)(5)(A)(ii), which makes it a violation to intentionally access a protected computer without authorization, and as a result of such conduct, recklessly cause damage.
The court found, his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee (cites omitted).
Noting a difference in terminology within the CFAA without authorization in the subsections Citrin was alleged to have violated; and exceeding authorized access in other subsections the court called the distinction paper thin, but not quite invisible.
Finding Citrins actions to fall within the without authorization category, the court concluded, Citrins breach
of his duty of loyalty terminated his agency relationship and with it his authority to access the laptop, because the only basis of his authority had been that relationship (cites omitted).
Accordingly, the court reversed, with instructions to reinstate the suit.
Click here for Case Analysis.
David Ziemer can be reached by email.