Former Employee’s Deletion of Data May Constitute CFAA “Damage”

A former employee’s deletion of data from his former employer’s computer, if intentional, may constitute an actionable “damage” as defined by the Computer Fraud and Abuse Act.

This is, in essence, what can be gleaned from a March 24, 2011 Memorandum and Opinion in Devon Energy Corporation v. Westacott, 4:09-cv-01689 (W.D. Tex. 2011) in which the court denied Westacott’s motion for summary judgment on the Devon Energy’s claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq., finding there was a fact issue requiring a trial on the merits.

Westacott was an employee of Devon Energy who was paid $125,000 to perform an analysis of gas reserves in the Barnett Shale, a gas reservoir located near Fort Worth, Texas. Westacott decided to quit his job with Devon Energy and, in preparation for leaving, deleted numerous files from his computer including a 1.3-gigabyte file that contained data from his work on the Barnett Shale analysis. (Opinion p. 4). Westacott contended that he had intended to only delete his personal files and personal computer programs that he had installed and that, if in fact such work-related data had been deleted, it was only accidentally. (Opinion p. 5).

Devon Energy sued Westacott for violating subsection (a)(5)(A) of the Computer Fraud and Abuse Act, inter alia, “which provides that anyone who ‘knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer’ commits a federal crime.” (Opinion p. 17-18.)

The CFAA defines damage as “any impairment to the integrity or availability of data, a program, a system, or information.” (Opinion p. 18 quoting 18 U.S.C. § 1030(e)(8).).

The primary issue in dispute for the motion for summary judgment was whether Westacott intentionally impaired the availability of Devon Energy’s data. The court found there was a conflict in the evidence as to whether the deletion was “intentional” and on that basis denied the motion for summary judgment. Implicit in the court’s ruling, however, was the indication that if it is shown that the employee’s deletion of the data was intentional, such a deletion will constitute the type of “damage” that is a violation of subsection (a)(5)(A) of the Computer Fraud and Abuse Act.