|
Newsletter Update - August 2006
Welcome to the Anti-Fraud Network’s newsletter. In this edition we continue our series of articles from members around the world outlining important issues relating to fraud or corruption. Nick Akerman, Partner at Dorsey & Whitney, New York examines a recent decision on the destruction of data by employees. This is of direct relevance to any organisation in the US in which employees have electronic access to sensitive or important data and is of indirect relevance to organisations elsewhere in the world because of the issues it raises.
In the next edition of the AFN newsletter, Micah Menes, Partner at Michael Shachor, Menes & Co. in Tel Aviv, Israel, will look at the legal situation in Israel regarding fraud investigations into companies that have collapsed. According to media reports, nearly 15 per cent of all Israeli organisations have suffered from embezzlement while less than 10 per cent were insured against such a loss. The article will review certain aspects of fraud such as the role of the liquidator authorities, the applicable laws and regulations, and common fraudulent dealings.
Nick Burkill
Suing For the Destruction of Computer Data
In March 2006, the US Seventh Circuit Court of Appeals, in an opinion written by Judge Posner, issued an important decision that is relevant to any company that may face the destruction of vital computer data by an insider, particularly one who leaves to go into competition with their former employer. The decision, which relates to Int’l Airport Centers, L.L.C. v. Citrin, (IAC v. Citrin) provides added vitality to the federal Computer Fraud and Abuse Act (CFAA).
Int’l Airport Centers L.L.C (IAC), a real estate company, sued its former employee, Jacob Citrin, who resigned to go into competition with IAC in violation of his employment contract. Citrin’s job had been to find potential real estate acquisitions for IAC, and to assist with subsequent purchases. IAC provided Citrin with a company laptop to record data that he collected in the course of his work.
Before returning the laptop to IAC, Citrin deleted all of the data contained on it. The data he deleted was not just data collected during the course of his work, but also data that would have revealed his improper conduct towards IAC before resigning. This deletion was accomplished with a “secure delete” program which ensures permanent and irreversible deletion of the data from the laptop.
The CFAA outlaws a variety of acts directed against computers, including the destruction of data. The statute also provides that the alleged victim can bring a civil action against the perpetrator for damages and an injunction. IAC chose to sue Citrin under two provisions of the CFAA.
The first provision stipulates that whoever “knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer” commits a crime. The second provision states that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” commits a crime.
IAC v. Citrin, particularly in the civil arena, goes beyond previous case law in clarifying and strengthening the reach of the CFAA to computer data destroyed by insiders as well as by hackers.
“Transmission”
The court interpreted “transmission” to include not only a long distance malicious signal sent by a hacker over the internet, but also a program transmitted to a computer by an insider like Citrin who used a secure deletion program directly connected to the computer. Analyzing the technology at issue, Judge Posner found that it was irrelevant whether “the program was downloaded from the internet or copied from a floppy disk (or the equivalent of a floppy disk, such as a CD) inserted into a disk drive that was either inside the computer or attached to it by a wire.” As Judge Posner wrote, “[t]he only difference, so far as the mechanics of transmission are concerned, is that the disk is inserted manually before the program on it is transmitted electronically to the computer.”
“Damage”
Relying on the CFAA’s definition of “damage” to mean “any impairment to the integrity or availability of data, a program, a system or information” (emphasis added), the court concluded that the violation occurs when data is permanently eliminated from the computer.
Judge Posner distinguished the technical results accomplished by the program used by Citrin from the simple tapping of a computer’s deletion key which “does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands.” Because “[s]uch ‘deleted’ files are easily recoverable,” there is no violation of the CFAA.
Whether this permanent deletion of data results from a hacker introducing a virus or an insider using a secure deletion program is irrelevant as the emphasis was on the destruction being intentional
“Unauthorized Access”
A critical element of most CFAA violations is “unauthorized access” to the computer. IAC v. Citrin is the first Circuit court case to hold that “unauthorized access” is established when an employee accesses the computer for a purpose disloyal and adverse to his employer’s interests.
Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., previously found that when an employee violates his duty of loyalty, he voids his agency relationship with his employer, thereby terminating his authority to access the employer’s computer. This is because his authority to access the computer had been based on that agency relationship. IAC v. Citrin, is the first Circuit opinion to adopt the Shurgard rule that authorization under the CFAA is premised on the law of agency.
In finding that Citrin was not authorized to access IAC’s laptop, the court held that Citrin’s authorization terminated when he breached his duty of loyalty by deciding to destroy the files. Citrin’s breach of loyalty was premised on his destruction of both data that identified prospective real estate IAC might want to buy, and also files that incriminated him in disloyal conduct before his resignation.
The breadth of this finding of lack of authorization is underscored by the court’s refusal to credit the express language in Citrin’s employment contract permitting him to ‘return or destroy’ data in the laptop when he left IAC.” (emphasis in original) Judge Posner held that “it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have – if only to nail Citrin for misconduct.”
Lessons Learned
The message sent by IAC v. Citrin to companies concerned about protecting their computer data is clear. Whenever employees leave to go into competition, their computers should be searched not only to determine if they took data from the computers but also to determine whether they permanently deleted files. As a preventative measure, all agreements and company policies should stipulate that data must be returned immediately upon termination of employment. Although Judge Posner readily dismissed Citrin’s claim that he had been authorized to destroy the data based on his employment agreement, the best practice is to ensure that all parties know that the destruction of data is unacceptable and a federal criminal offence.
 |
Nick Akerman is a partner in Dorsey & Whitney’s Trial group. Nick represents clients in trial and appellate courts and arbitrations throughout the United States. His specialties include protection of trade secrets and computer data, other commercial litigation, internal investigations and white collar criminal representations.
Contact Details:
T: + 1 212 415 9217
E: akerman.nick@dorsey.com
|
|
