I was reading an article in one of the many legal publications that come across my desk each day and came across an article discussing a new wrinkle in the federal Computer Fraud and Abuse Act (?CFAA?). The new wrinkle is the result of a case handed down by the Seventh Circuit Court of Appeals in Chicago.
The opinion was issued in a case where an employer sued a former employee. The employee quit his job with the employer in order to go into business for himself. This was a breach of his agreement with his employer. Before he resigned, he deleted all of the information on the hard drive of the laptop he had been provided by his employer. The data he deleted included data he was paid to collect for his employer. The employer also believed the employee destroyed data that would demonstrate he was engaging in improper conduct prior to his termination.
The employee did not simply drag files to the trash and ?empty the trash?. He installed a file deletion program on the computer and used it to truly delete the information. For those of you who are not familiar with how your trash or recycle bin work, when you place a file in the ?trash? and empty the trash, the file is not removed from the hard drive. The computer simply deletes the files entry in the computers file index and deletes the pointers to the file. The data is still in the same place and can be recovered.
In contrast, a true file deletion utility will overwrite the space on the hard drive where the data is physically located. Overwriting means the hard drives recording head moves over the space and records random information. This makes it more difficult to recover the data. Thus, in this case, the employer could not recover the data it had paid the employee to collect as well as the evidence of the employee?s misconduct.
The employer sued the employee for a number of reasons, including a violation of the CFAA. The CFAA is a federal statute that provides criminal and civil penalties for certain activities that harm computers, that involve unauthorized access to computers or use computers to commit fraud. The employer relied upon a specific provision relating to individuals who ?knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization to a protected computer??
The employee argued that erasing a file was not a ?transmission?, because it only involved pressing keys on the keyboard. The trial court agreed and dismissed the case. On appeal, the Seventh Circuit noted that the employee did more than simply press keys, but that the employee actually installed a piece of software. The Court ruled that installing the file deletion program was a transmission for purposes of the CFAA. Because installing the program was a transmission, the employee had violated the CFAA.
The court of appeals also held that the employee accessed the computer without authorization and by deleting the files, recklessly caused damage.
This is good news for home care and hospice providers, because many of you provide your employees with laptops that contain patient information. Employees who install software without authorization to delete files (I have seen this done) or to otherwise cause damage can now be sued under the CFAA.
The CFAA allows individuals harmed by conduct described in the act to file suit to obtain injunctive relief and compensatory damages. In addition, the act provides that violations may be punished by jail time and fines. This means you have another very effective way to respond to employees tampering with your computers.
Permalink
