• LinkedIn
  • YouTube
  • Twitter
  • Facebook
  • Google+

Go After ‘In-House Hackers’ Using State and Federal Law

by on
in Employment Law,Human Resources

The so-called paperless society ushered in by the computer age may mean fewer file cabinets and storage rooms full of paper records, but storing company records on hard drives has its own set of problems.

Network administrators can set firewalls and schedule automatic backups. Virus protection can keep out malicious virtual intruders. But one threat remains: It takes just one disgruntled employee, the right password and a bit of technical know-how to wipe out years of important company records.

Fortunately, the legal system is coming up with solutions. Courts are holding malicious employees liable for the harm they do.

Consider the following ruling in which a court held an employee liable for purposely deleting critical company records. The case carries clear lessons about the need for employee policies and procedures regarding installing computer programs and erasing files.

The case of the ‘mad deleter'

Jacob Citrin was a managing director of International Airport Centers (IAC), a corporate real estate company. He was responsible for identifying properties that IAC might want to acquire and facilitating the acquisitions.

The company provided Citrin with a laptop to record data that he collected in the field.

Before resigning to start his own business, Citrin deleted all the data from his company-issued laptop. The deleted information included data he had collected during the course of his employment, including data that might have proved embarrassing to Citrin.

Citrin knew that a basic "delete" (i.e., pressing a delete or erase key) would have just removed the index entry and pointers to the data file, but that the files could still be recovered until the parts of the hard drive that held the data were recorded over by new entries.

To assure IAC would never recover the files, Citrin loaded a secure-erasure program. The program wrote over the deleted files, making it impossible to retrieve them.

Hold employees liable for deleting important files

IAC sued Citrin, alleging violations of the federal Computer Fraud and Abuse Act (CFAA) and state contract and tort laws. The trial court dismissed the case, so IAC appealed.

Fortunately for IAC, the 7th Circuit Court of Appeals took a different position. It found that, by installing a program on the laptop that could override the hard drive files, Citrin did what hackers do: transmitted a program, code or command to a protected computer without permission, which damages the computer.

That's exactly the sort of action that the CFAA was designed to punish. The court didn't buy Citrin's argument that merely erasing a file from a computer did not constitute "transmission" of a program.

The 7th Circuit acknowledged that pressing a delete or erase key, in fact, transmits a command. But the court said "it might be stretching the statute too far . . . to consider any typing on a computer keyboard to be a form of ‘transmission'."

Citrin went beyond merely pressing the delete key by loading the secure-erasure program, which satisfied the "transmission" requirement.

According to the court, Congress intended the CFAA to deter both attacks by virus and worm writers—which come mainly from the outside via the Internet—and attacks by disgruntled programmers who decide to trash their employers' data on their way out the door.

Citrin also argued that his employment contract specifically authorized the deletions. The court rejected this argument, writing that: "His authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on the employee."

Thus, the court found Citrin's breach of his duty of loyalty terminated both his agency relationship with IAC and his authority to access the laptop. (International Airport Centers, L.L.C. v. Citrin, No. 05-1522, 7th Cir., 2006)  

Like what you've read? ...Republish it and share great business tips!

Attention: Readers, Publishers, Editors, Bloggers, Media, Webmasters and more...

We believe great content should be read and passed around. After all, knowledge IS power. And good business can become great with the right information at their fingertips. If you'd like to share any of the insightful articles on BusinessManagementDaily.com, you may republish or syndicate it without charge.

The only thing we ask is that you keep the article exactly as it was written and formatted. You also need to include an attribution statement and link to the article.

" This information is proudly provided by Business Management Daily.com: http://www.businessmanagementdaily.com/1887/go-after-in-house-hackers-using-state-and-federal-law "

Leave a Comment