The U.S. Court of Appeals for the Fifth Circuit affirmed the Computer Fraud and Abuse Act conviction of an IT worker who sabotaged his employer’s network, rejecting the argument that an IT worker’s authorized access to “impair” a computer network as part of his routine duties authorizes any form of damage to the network. The December 11 ruling in United States of America v. Michael Thomas confirms liability under the CFAA for employees who act outside the scope of their duties to damage a company’s network.
The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, imposes civil and criminal liability for accessing or damaging protected computers without authorization. Sections 1030(a)(1)-(3) makes it illegal to either “knowingly access[ing] a computer without authorization” or “exceeding authorized access.” In contrast, section 1030(a)(5)(A) makes it illegal to “knowingly cause[] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally cause damage without authorization, to a protected computer.” The statute defines “damage” as “any impairment to the integrity or availability of data, a program, a system or information.”
Background
Michael Thomas was an IT Operations Manager for software company ClickMotive. After ClickMotive fired his coworker, Thomas embarked on a campaign of electronic sabotage in which he deleted hundreds of backup files; tampered with system notifications so that employees would not receive automated alerts to system problems; interfered with automated back-up procedures; deleted internal “wiki” pages that employees relied upon; changed authentication settings to prevent employees from working remotely; and removed employees from e-mail distribution groups so that employee requests for support would remain unanswered. After Thomas resigned, ClickMotive discovered the damage and incurred over $130,000 in out-of-pocket expenses to repair the harm that Thomas had caused. A grand jury charged Thomas with violating § 1030(a)(5)(A).
At trial, ClickMotive employees and outside IT experts testified that Thomas’ conduct was not consistent with normal troubleshooting or maintenance, or even mistakes made by a novice. ClickMotive employees also testified that there were company policies prohibiting interference with the company’s normal course of business and destroying any of its assets, including digital ones. A jury ultimately convicted Thomas of intentionally causing damage to a protected computer in violation of 18 U.S.C. § 1030(a)(5)(A).
The Fifth Circuit’s Decision
The Fifth Circuit upheld Thomas’ conviction on the basis that his conduct fell squarely within the scope of § 1030(a)(5)(A), and rejected his interpretation of the statute which claimed that his conduct was authorized because his IT job gave him full access to the system and the authority to “damage” the system occasionally—by deleting files or taking the system offline.
Thomas argued that because, as the IT Operations Manager, his official duties included conduct within the CFAA’s definition of “damage,” such as routinely deleting data, removing programs, and taking systems offline for maintenance, any damage that he caused within his role was not “without authorization,” and he could not be liable under section 1030(a)(5)(A). The Fifth Circuit, however, disagreed, rejecting wholesale the idea that any employee could damage a computer system in any way as long as the employee’s job included activities such as deleting files or taking systems offline.
The court’s holding turned on the interpretation of the term, “without authorization” under the CFAA’s damage provision as opposed to its access provisions. The Fifth Circuit noted that CFAA offenses center primarily on unauthorized access—either intentionally accessing a computer without authorization under section 1030(a)(1), or exceeding authorized access under section 1030(a)(2). Whereas courts have interpreted the former provision to target “outsiders,” such as hackers, they have interpreted the latter provision to apply to “insiders,” such as company employees. The Fifth Circuit found that this bifurcated reading of the CFAA appropriately avoided criminalizing less serious, everyday conduct, such as breaching the terms of service of a company or using work computers for personal reasons.
The Fifth Circuit said that, in contrast to the access provisions, section 1030(a)(5)(A) is concerned with damage to a computer system, and not hacking. Accordingly, section 1030(a)(5)(A) does not require a lack of authorization; nor does it distinguish between scopes and degrees of authorization. In other words, section 1030(a)(5)(A) applies to both outsiders who never had permission to damage the system, as well as insiders who exceed their permission to engage in acts that cause damage. In support of its holding, the Fifth Circuit cited the Senate Report on the 1996 amendments to the CFAA, which expressly referenced both “outside hackers” and “malicious insiders” (i.e., those employees who specifically intend to damage a computer system) as threats addressed by the CFAA. Thus, the court held that Thomas’ proposed reading was at odds with both the statutory language and the legislative intent of the CFAA and affirmed his conviction.
Takeaways
Under Thomas, even if employees are authorized to access a computer to perform tasks that may qualify as causing damage under the CFAA, such as deleting data or taking a computer offline for maintenance, they may still violate the CFAA when they intentionally cause harm by exceeding the scope of that limited authorization. Companies should consider having clear policies on the use, maintenance and protection of their internal computer systems that provide unambiguous guidance to employees concerning what constitutes authorized and unauthorized conduct. The presence of such policies may make it easier for companies and the government to bring civil and/or criminal CFAA actions against employees who violate those policies.