“[T]he deletion of an employee’s emails can serve as the basis for a CFAA claim in certain circumstances, ….”
In Meridian Financial Advisors, Ltd. v. Pence, 1:07-cv-00995 (S.D. Ind. 2011), the United States District Court for the Southern District of Indiana denied the Defendant’s motion for summary judgment on the Plaintiff’s Computer Fraud and Abuse Act claim, inter alia. The basic facts are these:
Defendant Pence was President and CEO of OCMC, Inc., a company that went into bankruptcy and had appointed as its receiver, Meridian Financial Advisors, Ltd. As Receiver, Meridian took possession of OCMC’s computers, including the one that had belonged to Pence. Meridian then discovered that emails and other computer data detailing improper conduct had been deleted just before Pence left OCMC’s premises. (Opinion p. 6-7).
Meridian sued Pence for violating the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq., alleging that he and others violated the CFAA by damaging OCMC’s protected computers.
A person violates the CFAA by “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A)(i) (2010). For CFAA purposes, transmission can be accomplished either over the Internet or through a physical medium such as a compact disc. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006). (Opinion p. 20).
Reasoning that the CFAA defines “‘damage’ to include ‘any impairment to the integrity or availability of data, a program, a system, or information'”, the Court found that the deletion of the emails and data impaired the availability of data and, as such is prohibited by the CFAA. (Opinion p. 21). In reaching this decision, the court cited Monson v. Whitby Sch., Inc., 3:09-cv-1096, 2010 WL 3023873, at *3 (D. Conn. Aug. 2, 2010) for the proposition that, “under some circumstances, deletion of an employee’s own email can give rise to a CFAA claim.” Id. The court found that Pence’s deletion of email and data, if found to be true, would be a violation of the CFAA, which finding presented a question of fact that precluded granting of summary judgment on this issue.
In the wake of Pence and Monson, departing employees need to beware that if they delete emails and other computer data from their employer’s protected computer, under the right circumstances they could be violating the CFAA.
- Former Employee’s Deletion of Data May Constitute CFAA “Damage” (shawnetuma.com)
- Should Everyone Who Uses A Phone Or A Computer As Part Of A Crime Get A Longer Sentence? (techdirt.com)
- Taking of Confidential Info Alone Not “Loss” Under CFAA (shawnetuma.com)
- CFAA Not Subject to Rule 9 (shawnetuma.com)
- N.D. Cal.: Facebook Posts are Electronic Mail Messages, Subject to CAN-SPAM — Facebook v. Maxbounty (ericgoldman.org)
- Does the CFAA Apply to Business Partners? (shawnetuma.com)
- Smartphone Apps Face Grand Jury Probe Over Privacy Issues (fastcompany.com)
- Pandora spills beans on smartphone app privacy investigation (slashgear.com)
- App developers could face US privacy investigation (tuaw.com)