- Related Stories
-
It's time for mobile-gadget etiquette
April 5, 2006 -
It's my Internet--I can do what I want
March 29, 2006 -
How do you really feel about e-snooping?
March 22, 2006
The recent case of International Airport Centers v. Citrin, decided by the United States Court of Appeals for the Seventh Circuit, is an interesting example of how employers are using the CFAA to take the legal offensive. The defendant, a man named Jacob Citrin, was employed by the plaintiffs--a collection of affiliated companies engaged in the real estate business--to identify potential acquisition properties. The companies loaned a laptop to Citrin to record data that he collected during the course of his work.
Citrin ultimately decided to quit and go into business for himself, apparently in breach of his employment contract, according to IAC. Before returning the laptop to the companies, Citrin deleted all of the data he had collected--but he also deleted data that would have revealed improper conduct before deciding to quit, IAC claimed. He caused this deletion using a secure-erasure program making it impossible to recover the deleted information, it asserted.
IAC brought suit against Citrin, relying on the provision of the CFAA which provides that whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization to a protected computer," violates the statute, making the remedies of the CFAA available.
Citrin argued in his defense that merely erasing a file from a computer is not a "transmission" under the CFAA. While pressing a delete or erase key does transmit a command, Citrin asserted that it would be stretching the statute too far to consider simple typing on a computer keyboard to be a form of transmission just because it transmits a command to the computer.
The appellate court disagreed. It noted that more was involved than the transmission of the secure-erasure program to the computer. Under the CFAA, the court said, a program intended to cause damage to computer files includes "any impairment to the integrity or availability of data, a program, a system, or information" transmitted electronically to a computer.
The court determined that Congress intended the CFAA to address not only attacks from the outside, but also "attacks by disgruntled programmers who decide to trash the employer's data system on the way out." In this case, the court held that Citrin's authorization to access the laptop terminated when he decided to quit IAC in violation of his employment contract and destroyed incriminating files that were the property of the companies.
The Citrin case very well could be one of many soon to be launched by employers under the CFAA. The statute provides many advantages to employers.
First, cases under the CFAA can be brought in federal court, and employers can avoid restrictive noncompete and unfair competition laws. Second, employers can bring actions under the CFAA without having to prove that the information at issue constituted trade secrets or is confidential and proprietary. The CFAA does require damages of more than $5,000 in any one-year period caused by a violation for a lawsuit to be brought; however, damage assessments, security updates and restoration and replacement costs can be included to reach this amount.
Biography
See more CNET content tagged:
employer, statute, transmission, court, acquisition
After all the abuse (downsizing, rightsizing, outsourcing, laying off, "cost-of-living" raises, scaled back benefits, dumped pensions, increased workloads, constant change, egregious upper-management "pay" packages, ever-shifting priorities, pointy-headed bosses, back-stabbing Apprentice-type "co-workers," etc., etc., etc.) employees endure, I don't think you can work the word "loyal" into the equation. That went out with disloyal corporations who started outsourcing jobs in the 70s and rightsizing jobs in the 80s.
In this case, the employee knew he had made a choice that violated the trust of his employer and his committment to good faith in serving his employer. I'd call that disloyalty, but my first choice of terms to describe it would simply be betrayal.
There was no mention of abuse by the company here, just that the employee wanted to enrich himself.
Ensuring proper erasure of files is part of the ISMS structure. If companies place their reliability on recovering ISMS approved erasure measures... then all I have to say for that company is that they need to understand ISMS procedures a bit better.
They were hoping to recover data which an employee held at one time... but which since was deleted.
Their hopes are too high. Should that employee have been able to keep local copies ONLY of such databases? If not... then that company's ISMS department failed to ensure that he ONLY kept copies of such databases on company servers where the data was backed up.
I say the company is barking up the wrong tree!!!
Walt
- Laptop Policies
- by 209979377489953107664053243186 April 12, 2006 12:07 PM PDT
- Disgruntled employees and the rising incidents of laptop theft are making it imperative for companies to initiate laptop policies. These should include a set of "good practices" but also increased security protocols over laptops that leave the office, including remote access control to files that exist on the laptop. Company wide, the company should be in control of that access, not the employee. More on laptop security:
- Like this Reply to this comment
-
(4 Comments)http://www.essentialsecurity.com/pressroom/press_releases/pr_taceo16.htm