Restoring Wiped Hard Drive May Be Compensable Under Computer Fraud And Abuse Act
What if an employee exceeds his authorized network access, then attempts to cover up his actions by erasing the computer's hard drive? Beyond the many business ramifications, what legal remedies are available to the impacted organization?
In a lawsuit filed in federal court in Tennessee, plaintiff Expert Janitorial alleged that two of its former employees had wrongfully accessed other employees' email accounts in order to obtain company confidential information. The company further alleged that one of the employees executed software designed to delete data and files from her company-issued laptop in an attempt to conceal the access. One of the claims brought was violation of the federal Computer Fraud and Abuse Act ("CFAA"). The CFAA provides for both criminal and civil remedies based on unauthorized access to a computer or network that results in damages exceeding $5000.
Defendant employees filed a motion to dismiss the suit, arguing that the company failed to state a claim under the CFAA, including the requirement that the company incurred over $5000 in damages. The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” 18 USC § 1030(e)(8). The court held that the company's allegations that it had to institute remedial measures to restore the computer allegedly accessed by one of the defendants was sufficient to satisfy the damages requirement of the CFAA and state a cause of action under that act.
Unlike some earlier decisions involving employees exceeding their authorized access, this decision suggests that the remedies and other law enforcement resources available for a Computer Fraud and Abuse Act violation may apply where unauthorized computer access by employees is alleged.