Why isn’t is clearer that this is absolutely one of these areas in which we need to label the destruction of digital information a crime. One of the key areas of destruction by M that we raised with the arbitrator was the absence of email on the business computer M returned at the end of his employment. I wish we had more guidance on this topic 5 years ago. More importantly I wish the bickering between police would have made the jurisdiction questions clearer. The following has been republished with approval from the Cybersecurity Business Law Blog which you can find here.
“[T]he deletion of an employee’s emails can serve as the basis for a CFAA claim in certain circumstances, ….”
In Meridian Financial Advisors, Ltd. v. Pence, 1:07-cv-00995 (S.D. Ind. 2011), the United States District Court for the Southern District of Indiana denied the Defendant’s motion for summary judgment on the Plaintiff’s Computer Fraud and Abuse Act claim, inter alia. The basic facts are these:
Defendant Pence was President and CEO of OCMC, Inc., a company that went into bankruptcy and had appointed as its receiver, Meridian Financial Advisors, Ltd. As Receiver, Meridian took possession of OCMC’s computers, including the one that had belonged to Pence. Meridian then discovered that emails and other computer data detailing improper conduct had been deleted just before Pence left OCMC’s premises. (Opinion p. 6-7).
Meridian sued Pence for violating the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq., alleging that he and others violated the CFAA by damaging OCMC’s protected computers.
A person violates the CFAA by “knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A)(i) (2010). For CFAA purposes, transmission can be accomplished either over the Internet or through a physical medium such as a compact disc. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006). (Opinion p. 20).
Reasoning that the CFAA defines “‘damage’ to include ‘any impairment to the integrity or availability of data, a program, a system, or information’”, the Court found that the deletion of the emails and data impaired the availability of data and, as such is prohibited by the CFAA. (Opinion p. 21). In reaching this decision, the court cited Monson v. Whitby Sch., Inc., 3:09-cv-1096, 2010 WL 3023873, at *3 (D. Conn. Aug. 2, 2010) for the proposition that, “under some circumstances, deletion of an employee’s own email can give rise to a CFAA claim.” Id. The court found that Pence’s deletion of email and data, if found to be true, would be a violation of the CFAA, which finding presented a question of fact that precluded granting of summary judgment on this issue.
In the wake of Pence and Monson, departing employees need to beware that if they delete emails and other computer data from their employer’s protected computer, under the right circumstances they could be violating the CFAA.”