Many employers often question what recourse is available when faced with the destruction or alteration of company data by former employees. This question is made more complicated when employees use their own personal computer for work. In addressing this issue, the U.S. District Court for the Northern District of Illinois, Eastern division held that an employee’s use of her personal computer to delete e-mails on her employer’s computer servers may support an unauthorized access claim under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).
Plaintiffs, a group of real estate companies, allege that several of their former employees, on company resources and company time, founded a competing business and stole customers. Plaintiffs claim that one of the defendants told the others to delete e-mails related to their “scheme”, and then delete them again from the “deleted items” folder. This “hard delete” made the files hard to retrieve.
Defendants sought to dismiss the CFAA claims. Specifically, defendants claimed that “unauthorized access” is impossible because the individual defendant had used her own personal computer for work, and plaintiffs thus lost nothing when she left with it. Although defendants cited to no cases, some District Courts (Keystone Fruit Marketing, Inc. v. Brownfield) have concluded that using one’s personal computer will not support a CFAA unauthorized access claim. Here, the Court found that the CFAA appears to prohibit damaging (not accessing) a computer without authorization and the definition of “protected computer” does not specify whose computer it must be. While the Court ultimately dismissed plaintiffs’ claim as not sufficiently alleged, the Court did rule that plaintiffs may be able to make out a claim against the individual defendant by showing that she impermissibly destroyed files or other data belonging to them.
Companies must be aware of jurisdictional nuances as they strive to protect themselves. Stay tuned as we address similar issues in an upcoming series of posts!