An employee's erasure or physical destruction of data on the hard drive of his company-owned computer may be enough to trigger a claim under the Computer Fraud and Abuse Act (CFAA). In Deloitte & Touche LLP v. Carlson, et al., U.S. Dist. Ct., N.D. Ill., Case No. 11 C327 (July 18, 2011) (Zagel, J.), the U.S. District Court for the Northern District of Illinois recently held that an employee's destruction of data qualifies as the access "without authorization" required by the CFAA, 18 U.S.C. §1030(a)(5). (Thanks to the Internet Cases blog for its report on this case). Deloitte brought the action against a former Senior Manager in its Security and Privacy Practice, Lyle Carlson, and another former employee, David Deckter. Carlson admitted to physically shattering the hard drive of his company-owned laptop before returning it (a curious approach for a former Senior Manager of Deloitte's Security and Privacy Practice); Deckter, on the other hand, used a commercially available software program called "Eraser" to permanently delete substantial volumes of Deloitte data from his computer. Carlson and Deckter moved to dismiss Deloitte's complaint and, as to the CFAA claim, argued that as they were employees of Deloitte at the time, they did not access a protected computer without authorization. The district court disagreed, noting that Carlson's "data destruction was done, in part, to cover his tracks in wrongfully soliciting Deckter" and in so doing, was "acting contrary to his employer's interests, thereby ending his agency relationship with Deloitte and making his conduct 'without authorization.'" The district court also noted that Carlson and Deckter acted contrary to Deloitte's policies, which required the return of all confidential information. The take-away? Good exit and termination policies helped Deloitte keep its CFAA claim. Deloitte's policies required the return of all data and information at the termination of employment. The district court's opinion suggested that had Deloitte's policy permitted erasure by the employee, this claim might not have survived. Therefore, it may be worthwhile to double-check your client's exit policies to make certain that they mandate the return of all company information and data and don't provide an "out" for a troubled employee to cover his tracks.
Tags: Computer Fraud and Abuse Act, CFAA, policies, Deloitte, without authorization, erasure, data destruction
Computer Fraud and Abuse Act (CFAA) | General | Intellectual Property | IP Litigation
Cancel reply to comment
Powered by BlogEngine.NET 220.127.116.11
Theme by Mads Kristensen
Join me on Linked In!
The information in this blog is designed to make you aware of issues you might not have previously considered, but it should not be construed as legal advice, nor solely relied upon in making legal decisions. Statements made on this blog are solely those of the author and do not necessarily reflect the views of Hahn Loeser & Parks LLP. This blog material may be considered attorney advertising under certain rules of professional attorney conduct. Regardless, the hiring of a lawyer is an important decision that should not be based solely upon advertisements.
© 2011 Hahn Loeser & Parks LLP
The material available on this site is for information purposes only and does not constitute legal advice, nor is it intended as a substitute for legal counsel.