An employee’s erasure or physical destruction of data on the hard drive of his company-owned computer may be enough to trigger a claim under the Computer Fraud and Abuse Act (CFAA). In Deloitte & Touche LLP v. Carlson, et al., U.S. Dist. Ct., N.D. Ill., Case No. 11 C327 (July 18, 2011) (Zagel, J.), the U.S. District Court for the Northern District of Illinois recently held that an employee’s destruction of data qualifies as the access “without authorization” required by the CFAA, 18 U.S.C. §1030(a)(5). (Thanks to the Internet Cases blog for its report on this case).
Deloitte brought the action against a former Senior Manager in its Security and Privacy Practice, Lyle Carlson, and another former employee, David Deckter. Carlson admitted to physically shattering the hard drive of his company-owned laptop before returning it (a curious approach for a former Senior Manager of Deloitte’s Security and Privacy Practice); Deckter, on the other hand, used a commercially available software program called “Eraser” to permanently delete substantial volumes of Deloitte data from his computer.
Carlson and Deckter moved to dismiss Deloitte’s complaint and, as to the CFAA claim, argued that as they were employees of Deloitte at the time, they did not access a protected computer without authorization. The district court disagreed, noting that Carlson’s “data destruction was done, in part, to cover his tracks in wrongfully soliciting Deckter” and in so doing, was “acting contrary to his employer’s interests, thereby ending his agency relationship with Deloitte and making his conduct ‘without authorization.'” The district court also noted that Carlson and Deckter acted contrary to Deloitte’s policies, which required the return of all confidential information.
The take-away? Good exit and termination policies helped Deloitte keep its CFAA claim. Deloitte’s policies required the return of all data and information at the termination of employment. The district court’s opinion suggested that had Deloitte’s policy permitted erasure by the employee, this claim might not have survived. Therefore, it may be worthwhile to double-check your client’s exit policies to make certain that they mandate the return of all company information and data and don’t provide an “out” for a troubled employee to cover his tracks.