Federal Computer Fraud and Abuse Act Remedies Potentially Available to Hawaii Employers for Deleted Files

Hawaii employers could have a federal civil remedy available in federal court in addition to the ability to invoke Hawaii criminal statutory law for damage caused to either network or company-owned computers by former employees.

The federal Eastern District Court of Missouri recently issued a ruling that could broaden the remedies available to Hawaii employers for damage caused to computers by departing employees.

Specifically, in Lasco Foods, Inc. v. Hall and Shaw Sales, Marketing, & Consulting, the Court interpreted the Computer Fraud and Abuse Act (“CFAA”) to permit a federal remedy for employers whose former employees delete and/or steal company information from laptop computers.

In that case, two managers left the plaintiff company and, according to the plaintiff, failed to return their laptop computers when requested and copied or downloaded confidential and trade secret information. The files on the computer containing such information were then deleted prior to the laptop computers being returned. The plaintiff filed a complaint alleging several causes of action, including a claim under CFAA.

The Court rejected the defendants’ argument in a motion to dismiss that the plaintiff was prohibited from asserting a claim under CFAA. The CFAA permits a cause of action for any person who suffers damage or loss by a violation of the act, so long as the damage sustained during a one-year period totals at least $5,000 in value.

The CFAA defines damage as “any impairment to the integrity or availability of data, a program, a system or information.” The CFAA defines loss as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”

The Court found that the plaintiff sufficiently alleged facts to satisfy both the “damage” and “loss” test. The Court found that the company sufficiently pled loss with its allegations that defendants deleted information, requiring forensic analysis and other remedial measures to retrieve and analyze defendants’ computers and restore the data. The Court’s ruling did not require, as other case law on the issue suggested, that the subject information must be destroyed on the employer’s network computer as opposed to a laptop computer.

The Court’s interpretation of CFAA is more in line with Hawaii criminal statutory law addressing criminal computer-related activity. For instance, HRS § 708-892 states that a person has committed the crime of “Computer Damage in the First Degree” where:

(a) The person knowingly causes the transmission of a program, information, code, or command, and thereby knowingly causes unauthorized damage to a computer, computer system, or computer network; or
(b) The person intentionally accesses a computer, computer system, or computer network without authorization and thereby knowingly causes damage.

Under the statute, the damage must: “Result in a loss aggregating at least $5,000 in value, including the costs associated with diagnosis, repair, replacement, or remediation, during any one-year period to one or more individuals.” Also, computer damage in the first degree is a class B felony.

The Hawaii penal code explicitly permits the conviction of a person that causes damage to not only a computer network, but also a company-issued computer. Generally, in most garden-variety cases where a former employee has been found to have deleted/destroyed computer files, the cost to engage a computer forensics professional to assess and restore or attempt to restore lost data will exceed $5,000 under the Hawaii criminal statute and CFAA.

Thus, a Hawaii employer could have a federal civil remedy available in federal court in addition to the ability to invoke Hawaii criminal statutory law for damage caused to either its network or company-owned computers.