Deleting data violates law

Listen to this article

The Computer Fraud and Abuse Act’s (CFAA) prohibition on transmitting a program, in order to damage a computer, includes erasing all the data from a laptop.

The Seventh Circuit’s Mar. 8 opinion also held it doesn’t matter whether the perpetrator has physical access to the computer or damages it from a remote location.

According to the complaint, Jacob Citrin was employed by International Airport Centers, L.L.C. (IAC), a real estate company, to identify properties that IAC might want to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop for his use.

Citrin decided to quit IAC and go into business for himself, in breach of his employment contract. Before returning the laptop, however, he deleted all the data in it, including data that purportedly would have revealed improper conduct on his part to IAC.

Citrin did not merely delete the files with the “delete” key, but loaded a secure-erasure program into the computer that writes over the deleted files, and prevents their recovery. IAC had no other copies of the files that Citrin erased.

IAC brought suit in Illinois federal court, alleging a number of claims, including claims pursuant to the CFAA, which provides that whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer,” violates the Act. 18 U.S.C. 1030(a)(5)(A)(i).

The district court dismissed the complaint, and IAC appealed. The Seventh Circuit reversed, in a decision by Judge Richard A. Posner.

The court agreed with Citrin that it “might be stretching the statute too far” to consider any deletion to be a “transmission,” merely because the actor transmits a command to the computer. However, the court found that Citrin’s conduct went beyond that.

The court also acknowledged that it did not know whether the erasure program was downloaded from the Internet or copied from a floppy disk or CD.

However, the court found the distinction irrelevant, reasoning, “In either the Internet download or the disk insertion, a program intended to cause damage … is transmitted to the computer electronically.”

Another distinction the court acknowledged is that transmission via disk requires physical access, while transmission via the Internet does not.

The court noted that the latter long-distance attacks could be more difficult to detect, and thus, to deter and punish. On the other hand, an inside attack, while easier to detect, is easier to accomplish.

Again, the court found the distinction irrelevant: “Congress was concerned with both types of attack: attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out.”

The court thus concluded, “If the statute is to reach the disgruntled programmer, which Congress intended …, it can’t make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.”

	Related Links 7th Circuit Court of Appeals Related Article Case Analysis

The court added that Citrin also violated sec. 1030(a)(5)(A)(ii), which makes it a violation to “intentionally access[] a protected computer without authorization, and as a result of such conduct, recklessly cause[] damage.”

The court found, “his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee (cites omitted).”

Noting a difference in terminology within the CFAA — “without authorization” in the subsections Citrin was alleged to have violated; and “exceeding authorized access” in other subsections — the court called the distinction “paper thin, but not quite invisible.”

Finding Citrin’s actions to fall within the “without authorization” category, the court concluded, “Citrin’s breach
of his duty of loyalty terminated his agency relationship … and with it his authority to access the laptop, because the only basis of his authority had been that relationship (cites omitted).”

Accordingly, the court reversed, with instructions to reinstate the suit.

Click here for Case Analysis.

David Ziemer can be reached by email.