International Airport Centers, L.L.C. v. Citrin

In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act,. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.

Facts
International Airport Centers, L.L.C. (IAC) is a group of companies in the real estate business. IAC employed the defendant, Jacob Citrin, to identify potential acquisitions and record data about these properties. IAC lent Citrin a laptop for this purpose. Citrin became self-employed and quit IAC, breaching his employment contract in the process. He deleted the data on the laptop before returning it to IAC, using a secure-erasure software that rendered files irrecoverable. This process destroyed data that he had collected for IAC in addition to data revealing improper workplace conduct.

The provision of the Computer Fraud and Abuse Act provides that whoever "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" violates the Act. Citrin argued that erasing a file from a computer is not a "transmission." The district court agreed and dismissed the lawsuit since it determined that the deletion of the files did not violate the CFAA. However, Circuit Judge Posner examined the "transmission" of the secure-erasure program to the computer, stating that the method of transmission here – whether it was installed through a network or a disc – is irrelevant. "Damage" here included "any impairment to the integrity or availability of data, a program, a system, or information."

Ruling
The court ruled that Citrin's authorization terminated with his breach of his duty of loyalty in quitting, and that his actions were "exceeding authorized access", as defined by the CFAA to be "access[ing] a computer with authorization and…us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." While Citrin argued that his employment contract authorized him to "return or destroy" data in the laptop, it was unlikely that this was intended to authorize him to irreversibly destroy data that the company had no copies of, or data that incriminated him in misconduct. Therefore, the judgment was reversed with directions to reinstate the suit.

This case was one of a series of cases that applied the CFAA to employee misconduct. Originally, the CFAA had been crafted to prevent criminal hacking in government interest computers. The definition of "authorization" used in Citrin would be later rejected by the Ninth Circuit court in LVRC Holdings v. Brekka in favor of a more narrow "active authorization" that is granted by an authority.