Wednesday, April 05, 2006

Seventh Circuit decision concerning Computer Fraud and Abuse Act

I know this isn't strictly trademark, copyright, or trade secret law, but the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq., does seem to pop up in many trade secret-related disputes I've worked on.

The Seventh Circuit issued a decision under the CFAA about a month ago that got me thinking about a potentially new way to use the CFAA. Before I get into the new way, the decision in International Airport Centers, L.L.C. v. Citrin, No. 05-1522 (7th Cir. March 8, 2006), primarily concerned whether the defendant in this civil case under the CFAA, who had intentionally erased important data from his company-issued laptop just before he got canned, had caused the "transmission" of a command or program that caused damage and whether he was "authorized" to have erased the data. (The data was important to the employer and it didn't have any copies of the data, and the ex-amployee, after deleting the critical information, then started up his own competing business.)

The district court had dismissed the case, but Judge Posner, writing for the panel, held that such conduct would violate the CFAA.

But this got me thinking about spoliation of evidence during the course of litigation. Normally, when that happens, lawyers tend to think of it in terms of discovery sanctions and "adverse inference" jury instructions. But if, during the course of litigation, someone is found to have intentionally deleted or erased relevant computer data, might that not fall under the CFAA? Section 1030(a)(5)(A)(i) prohibits the intentional transmission of a program or command that causes damage to the computer so long as he wasn't "authorized" to do so. Section 1030(a)(5)(A)(ii) & (iii) prohibit intentional access to a protected computer that recklessly causes damage, or just causes damage, all without "authorization."

So if under the Federal Rules governing discovery, a party has a duty not to destroy potentially relevant information, does that mean the party isn't "authorized" under the CFAA? That would look to be the key question. Further, if the adverse party needed to spend more than $5000 to retrieve (or try to retrieve) the data (whether lawyer time or computer forensics experts or whatever), the adverse party might even be able to amend his claims or counterclaims to assert a CFAA claim in that case, thus maximizing the chances that the jury or the judge gets to hear, in excruciating detail, about the evidence that was destroyed.

Is this a possibility? Anyone spot any bone-headed flaw in my thinking?

No comments: