Because so much of a company’s important information is kept on computers, employers have to be mindful that a departing employee could cause havoc with the computer system before going out the door. A recent court decision provides a tool for employers to deal with this problem – the federal Computer Fraud and Abuse Act (CFAA).

The case involved Jacob Citrin, managing director of International Airport Center (IAC), a real estate business. Citrin was responsible for identifying possible acquisition targets for IAC. The company provided him with a laptop computer to record data he collected on potential acquisitions. Citrin decided to quit IAC and go into business for himself, allegedly in violation of his employment contract which contained a noncompete agreement.

Before turning in his laptop computer, Citrin deleted all the data on it pertaining to potential acquisition targets. To ensure that the data could not be recovered he loaded a self-erasure program onto his laptop that overwrites all files and prevents their recovery. IAC said it had no other copies of the files Citrin erased (more on that later).

IAC brought suit against Citrin, alleging breach of employment contract and violation of the CFAA. The court ruled that the computer fraud and abuse statute could be used in the employer/employee situation. The CFAA originated as a criminal statute designed to combat unauthorized access to government computers. It was aimed at hackers, viruses and "worms." It has been amended to provide for civil remedies such as injunctions and monetary damages. At issue in the IAC case was whether Citrin’s loading of the erase program on his company laptop constituted a "transmission" of a "program, information, code, or command" which "intentionally causes damage without authorization" in violation of the CFAA.

The court ruled that the prohibition on transmitting a program in order to damage a computer includes erasing all the data from a laptop. It found that the loading of the self-erasure program constituted a "transmission" within the meaning of the statute. The court stated that when Congress passed the CFAA it was concerned with both types of attack: attacks by virus and worm writers, which come mainly from the outside, and attacks from within by disgruntled programmers who decide to trash the employer’s data system on the way out.

Citrin had claimed that under his employment contract he was allowed to "return or destroy" data on his laptop when he ceased employment with IAC. But the court found that his authorization to access the laptop terminated when he decided to quit IAC and go into business himself in violation of his employment contract and that destroying files that were the property of his employer violated the duty of loyalty that agency law imposes on an employee.

There has been some criticism that the court’s opinion was an incorrect interpretation of the anti-hacking statute, extending its reach where Congress didn’t intend it to go. But unless the decision is overturned, the CFAA is available to employers to bring civil action against an employee who intentionally damages or deletes computer files without authority to do so. An employer owns all the business related data on a computer that was developed by an employee while under employment. For a departing employee to delete or take that data would be similar to stealing a file cabinet full of confidential client information.

Finally, it must be pointed out that IAC was remiss in failing to have a backup of whatever data was on Citrin’s laptop when he permanently deleted it. If the information was crucial to their business interests, it should have been copied elsewhere so that the sole copy did not exist on a laptop computer which could easily be stolen, lost, irretrievably damaged or, in this instance, erased.

For employers, the significance of this case (International Airport Centers, L.L.C. v. Citrin, Seventh Circuit Court of Appeals, March 2006) is that it alerts them to a federal statute that provides civil remedies when employees damage a computer system or destroy data through unauthorized access. The case also points out the risks of having employees on the road gathering data on their laptops with no backup of the information and the harm a disloyal employee can cause to computer files.

David L. Hansen, SPHR, CCP, Senior Human Resources Consultant, advises, "Employers today should include in their handbooks a policy outlining the appropriate use of electronic devices and resources, such as computers and Ipods." The policy should state that all work product, whether paper or electronic, is the property of the employer and should not be taken or transferred for personnel use without authorization. Employers may wish to spell out which types of confidential or proprietary information is covered by the policy, e.g., sales records, marketing tactics, client contact information, strategic plans, etc. Employees should be instructed on steps to take to keep the computer network and individual computers secure from viruses, hackers, or theft. Rules for e-mail, internet access, and use of passwords should be included. It should also be stated that employees should have no right or expectation of privacy and as a condition of employment, employees consent to review and disclosure of e-mail messages and internet records.