Is Destroying A Hard Drive On A Work Issued Computer The Equivalent Of Hacking Or Fraud?
from the court-may-think-so... dept
We’ve noted in the past how the courts have been stretching massively the Computer Fraud and Abuse Act (CFAA), which was really designed to deal with unauthorized access to computers — commonly referred to as malicious hacking. Yet, the courts have been interpreting it to cover all sorts of things that nobody would actually think of as hacking. In a recent case, for example, a guy who was a consultant at giant Deloitte & Touche, but then left to join a competitor, was sued by D&T because he destroyed the original hard drive in his work issued computer. When he quit, he returned the computer with a brand new hard drive. He had taken out the old hard drive and destroyed it because it had personal data on it (tax returns, account info and logins for personal things) that he didn’t want to share with D&T.
It’s difficult to see how this amounts to “hacking” or unauthorized access, and so the guy sought to have the case dismissed. Yet the court is allowing it to go forward, saying that the destruction of the hard drive was “without authorization” and thus the action fits under the CFAA. The problem here, as in other CFAA cases, is that it seems to interpret almost anything that doesn’t have direct authorization as being “unauthorized access” and thus, the equivalent of fraud or hacking. But in this case, it seems pretty clear that the guy didn’t do anything to harm the original company. He was just a little overzealous in trying to protect his personal info. Considering that his expertise as a consultant was in security and privacy… perhaps his actions aren’t all that surprising, really. What really is questionable here is why D&T is suing in the first place. They got back the computer with a newer hard drive, so it’s not like he returned a broken sytem to them.