The Computer Fraud and Abuse Act (CFAA) has a provision that makes it unlawful to “knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” Can a person violate that provision of the CFAA by deleting data on his or her own computer? A recent federal case answered that question.
Plaintiff sued its former chief technology officer under the CFAA after it learned that the former executive wiped the hard drive of his personal laptop he had used for company business. Defendant moved to dismiss, arguing primarily that the purpose of the CFAA is to target hackers. And he argued that there is a circuit split over what it means for an employee to access a computer without authorization or in excess of authorization.
The court denied the motion to dismiss. It acknowledged there is a circuit split on what it means for an employee to access a computer without authorization or in excess of authorization. Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) and LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) exemplify this split. But the court noted that this case did not present the question of authorization to access a computer. Instead, the relevant CFAA provision discusses unauthorized damage.
Looking at the plain language of the CFAA, the court found no basis to dismiss the complaint. So the court in effect said that a person can violate the CFAA by deleting data on his or her computer. The factual question of whether the particular defendant in this case did that will proceed to trial.
New Touch Digital Inc. v. Cabral, 2020 WL 5946067 (D.D.C. October 7, 2020)
See also:
Damages available under Computer Fraud and Abuse Act, even though no “interruption of service”
About the author:
Evan Brown is a technology and intellectual property attorney in Chicago. This content originally appeared on evan.law.