Perspective: Word to the wise if you quit in a huff

One of employers' biggest fears is that departing and disloyal employees will take advantage of access to company computer systems after announcing their resignations.

To deal with this problem, employers now are resorting to relief under the Computer Fraud and Abuse Act (CFAA), which originally was a criminal statute designed to combat unauthorized access to government computers. Over time, the CFAA has been amended to allow for civil liability and to provide for remedies such as monetary damages and injunctive relief.

The recent case of International Airport Centers v. Citrin, decided by the United States Court of Appeals for the Seventh Circuit, is an interesting example of how employers are using the CFAA to take the legal offensive. The defendant, a man named Jacob Citrin, was employed by the plaintiffs--a collection of affiliated companies engaged in the real estate business--to identify potential acquisition properties. The companies loaned a laptop to Citrin to record data that he collected during the course of his work.

Citrin ultimately decided to quit and go into business for himself, apparently in breach of his employment contract, according to IAC. Before returning the laptop to the companies, Citrin deleted all of the data he had collected--but he also deleted data that would have revealed improper conduct before deciding to quit, IAC claimed. He caused this deletion using a secure-erasure program making it impossible to recover the deleted information, it asserted.

The Citrin case very well could be one of many soon to be launched by employers under the CFAA. The statute provides many advantages to employers.

IAC brought suit against Citrin, relying on the provision of the CFAA which provides that whoever "knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization to a protected computer," violates the statute, making the remedies of the CFAA available.

Citrin argued in his defense that merely erasing a file from a computer is not a "transmission" under the CFAA. While pressing a delete or erase key does transmit a command, Citrin asserted that it would be stretching the statute too far to consider simple typing on a computer keyboard to be a form of transmission just because it transmits a command to the computer.

The appellate court disagreed. It noted that more was involved than the transmission of the secure-erasure program to the computer. Under the CFAA, the court said, a program intended to cause damage to computer files includes "any impairment to the integrity or availability of data, a program, a system, or information" transmitted electronically to a computer.

The court determined that Congress intended the CFAA to address not only attacks from the outside, but also "attacks by disgruntled programmers who decide to trash the employer's data system on the way out." In this case, the court held that Citrin's authorization to access the laptop terminated when he decided to quit IAC in violation of his employment contract and destroyed incriminating files that were the property of the companies.

The Citrin case very well could be one of many soon to be launched by employers under the CFAA. The statute provides many advantages to employers.

First, cases under the CFAA can be brought in federal court, and employers can avoid restrictive noncompete and unfair competition laws. Second, employers can bring actions under the CFAA without having to prove that the information at issue constituted trade secrets or is confidential and proprietary. The CFAA does require damages of more than $5,000 in any one-year period caused by a violation for a lawsuit to be brought; however, damage assessments, security updates and restoration and replacement costs can be included to reach this amount.

Biography
Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

More Perspectives

[ordaj]

Disloyal Employees

Disloyal Employees

After all the abuse (downsizing, rightsizing, outsourcing, laying off, "cost-of-living" raises, scaled back benefits, dumped pensions, increased workloads, constant change, egregious upper-management "pay" packages, ever-shifting priorities, pointy-headed bosses, back-stabbing Apprentice-type "co-workers," etc., etc., etc.) employees endure, I don't think you can work the word "loyal" into the equation. That went out with disloyal corporations who started outsourcing jobs in the 70s and rightsizing jobs in the 80s.

[enovikoff]

Disloyal?

Despite the fact that employers often abuse employees, one can really only speak of loyalty in this situation as being true to your committments to your company. If you are in any relationship, the behavior of the other person cannot in any way justify retribution or attack since ultimately you must bear the responsibility for your own actions ("he made me do it" never sounds like anything but poor-me whining.)

In this case, the employee knew he had made a choice that violated the trust of his employer and his committment to good faith in serving his employer. I'd call that disloyalty, but my first choice of terms to describe it would simply be betrayal.

There was no mention of abuse by the company here, just that the employee wanted to enrich himself.

[wbenton]

Hogwash I Say!

>>>Under the CFAA, the court said, a program intended to cause damage to computer files includes "any impairment to the integrity or availability of data, a program, a system, or information" transmitted electronically to a computer.<<<

Ensuring proper erasure of files is part of the ISMS structure. If companies place their reliability on recovering ISMS approved erasure measures... then all I have to say for that company is that they need to understand ISMS procedures a bit better.

They were hoping to recover data which an employee held at one time... but which since was deleted.

Their hopes are too high. Should that employee have been able to keep local copies ONLY of such databases? If not... then that company's ISMS department failed to ensure that he ONLY kept copies of such databases on company servers where the data was backed up.

I say the company is barking up the wrong tree!!!

Walt

[209979377489953107664053243186]

Laptop Policies

Disgruntled employees and the rising incidents of laptop theft are making it imperative for companies to initiate laptop policies. These should include a set of "good practices" but also increased security protocols over laptops that leave the office, including remote access control to files that exist on the laptop. Company wide, the company should be in control of that access, not the employee. More on laptop security:
<a class="jive-link-external" href="http://www.essentialsecurity.com/pressroom/press_releases/pr_taceo16.htm" target="_newWindow">http://www.essentialsecurity.com/pressroom/press_releases/pr_taceo16.htm</a>