Media Room

dedicated, diverse counsel helping you reach your goals


Deloitte & Touche v. Carlson: Destroying and Erasing Data Enough for Claims Under the Computer Fraud and Abuse Act

by John Marsh 1. August 2011 10:00

An employee's erasure or physical destruction of data on the hard drive of his company-owned computer may be enough to trigger a claim under the Computer Fraud and Abuse Act (CFAA). In Deloitte & Touche LLP v. Carlson, et al., U.S. Dist. Ct., N.D. Ill., Case No. 11 C327 (July 18, 2011) (Zagel, J.), the U.S. District Court for the Northern District of Illinois recently held that an employee's destruction of data qualifies as the access "without authorization" required by the CFAA, 18 U.S.C. §1030(a)(5). (Thanks to the Internet Cases blog for its report on this case).
Deloitte brought the action against a former Senior Manager in its Security and Privacy Practice, Lyle Carlson, and another former employee, David Deckter. Carlson admitted to physically shattering the hard drive of his company-owned laptop before returning it (a curious approach for a former Senior Manager of Deloitte's Security and Privacy Practice); Deckter, on the other hand, used a commercially available software program called "Eraser" to permanently delete substantial volumes of Deloitte data from his computer.
Carlson and Deckter moved to dismiss Deloitte's complaint and, as to the CFAA claim, argued that as they were employees of Deloitte at the time, they did not access a protected computer without authorization. The district court disagreed, noting that Carlson's "data destruction was done, in part, to cover his tracks in wrongfully soliciting Deckter" and in so doing, was "acting contrary to his employer's interests, thereby ending his agency relationship with Deloitte and making his conduct 'without authorization.'" The district court also noted that Carlson and Deckter acted contrary to Deloitte's policies, which required the return of all confidential information.
The take-away? Good exit and termination policies helped Deloitte keep its CFAA claim. Deloitte's policies required the return of all data and information at the termination of employment. The district court's opinion suggested that had Deloitte's policy permitted erasure by the employee, this claim might not have survived. Therefore, it may be worthwhile to double-check your client's exit policies to make certain that they mandate the return of all company information and data and don't provide an "out" for a troubled employee to cover his tracks.

Share on Facebook  Share on Twitter  Share on Linked In

Add comment

  Country flag
  • Comment
  • Preview

About John Marsh

John Marsh Hahn Law AttorneyI’m a Columbus, Ohio-based attorney with a national legal practice in trade secret, non-compete, and emergency litigation. Thanks for visiting my blog. I invite you to join in the conversations here by leaving a comment or sending me an email at


The information in this blog is designed to make you aware of issues you might not have previously considered, but it should not be construed as legal advice, nor solely relied upon in making legal decisions. Statements made on this blog are solely those of the author and do not necessarily reflect the views of Hahn Loeser & Parks LLP. This blog material may be considered attorney advertising under certain rules of professional attorney conduct. Regardless, the hiring of a lawyer is an important decision that should not be based solely upon advertisements.


Download OPML file OPML