Whenever I get a lot of email about a story, I take it seriously. This story about International Airport Centers, LLC v. Citrin is filling up my inbox. I see Slashdot had it yesterday too. So I decided to take a look and see if I could find some material to help you understand what is happening, and I have.
It's an Order being described as an expansion of the Computer Fraud and Abuse Act:
The 7th Circuit made two remarkable leaps. First, the judges said that deleting files from a laptop counts as "damage." Second, they ruled that Citrin's implicit "authorization" evaporated when he (again, allegedly) chose to go into business for himself and violate his employment contract.
The implications of this decision are broad. It effectively says that employees better not use OS X's Secure Empty Trash feature, or any similar utility, because they could face civil and criminal charges after they leave their job.
When I read the article, I just knew there had to be more to the story.
For one thing, Judge Richard Posner, who wrote the controversial order for the U.S. Court of Appeals for the Seventh Circuit, is an intelligent judge, although not a geek, as you will see, and anyway, whenever you read something in the media that violates your sense of what should be, it's wise to check and make sure of the details before you stop breathing and turn purple.
In fact there is quite a bit more to the story. And the good news is that it isn't the end of the story yet. Before I explain it all, here are some documents that will help you get the whole picture, all PDFs:
First, what happened?
If you read the Amended Complaint, you find out it was by no means a typical employer sues employee case:
3. The Defendant is Jacob Citrin ("Citrin").... Citrin, until October 30, 2003, was an officer and employee of IAC, serving as a "Managing Director." Citrin continuously has been employed by IAC since its formation in 1995. ...
4. Citrin was responsible during his employment at IAC for, among other things, identifying potential properties for acquisition and directing the acquisition process with respect to such properties. Citrin is a 19.88% member of PIC IAC LLC (and thus indirectly a .08% owner of IAC [4.18% of IAC x 19.88% of PIC IAC LLC = .08% of IAC] and a 40% member of IACEA LLC (thereby indirectly an owner of an additional interest in IAC). Citrin is thus a beneficial owner of IAC and such beneficial membership interest is worth several million dollars.
See what I mean? Already you can see that this isn't just some poor slob being run over by his ex-employer.
Now, why did the plaintiffs decide to sue under the Computer Fraud and Abuse Act? It's a jurisdictional ploy, as best I can make out. They wanted to sue in Federal court, and that was a problem, because the plaintiffs are in Illinois and the defendant is in New York State, but because he had an ownership interest in the plaintiffs, there was no diversity jurisdiction. In paragraph 5, the plaintiffs state that jurisdiction is proper because of the CFAA, 18 U.S.C. Section 1030(g). Marbux explained it to me like this:
Therefore, federal court jurisdiction, if it existed, had to depend on a combination of the federal question jurisdiction provided by the CFAA claim and supplemental jurisdiction (encompassing in part what used to be called "pendant" jurisdiction). Under supplemental jurisdiction, if federal question jurisdiction exists, the pendant state claims can be appended to the federal action regardless of any lack of diversity among the parties. But if the claim raising the federal question can not be stated, then there is no basis for federal supplemental jurisdiction over the state claims.
As for what they allege he did wrong, it's largely contract-based. As I always tell you, don't sign anything you haven't read and discussed with your lawyer. They claim that Citrin has made illegal profits by his actions to the tune of "the high six figures or low seven figures". They say that "sometime at a date unknown" but before October 2003, he decided to quit the company and compete against it, and he didn't tell the company but instead made certain "surreptitious plans" to "fraudulently appropriate IAC opportunities and assets", along with the company's "confidential and proprietary work product" for his own use.
For example, they say he identified a property for acquisition, then told the company there were issues that made it not a good idea to go forward, asked for documents obtained in the course of the due diligence by IAC, secretly formed his own company, and then acquired the facility himself. It's more complex than that even, since he then sold a 50% interest, but you can read the complaint for yourself for the fine details.
The point is that he had signed an agreement that he wouldn't compete for two years after termination of his employment with IAC, and here they say he was competing against the company even before termination. However, the agreement said that the covenant not to compete was void "in the event of a Change of Control and/or termination of Grantee's employment, if not for Cause." He also signed a Confidentiality Agreement. The company notified him on October 22, 2003, after he allegedly failed to show up for several important meetings, that he would likely be terminated for cause because of non-performance, so he quickly resigned on October 30th in what the plaintiffs' call "a transparent effort to preempt termination for cause." The company responded to his ploy, as they saw it, by telling him he was terminated for cause, so there. And so the fight began.
So the company wants an injunction against Citrin not to compete, saying it's a classic inevitable disclosure case, and a declaration that he has lost the right to "certain compensation expectations". There is real money at stake, and to win, the plaintiffs must prove that he is guilty of wrongdoing, and that is where the CFAA claim comes in.
Now, the company provided Citrin with a computer, a laptop, for use in traveling about looking for acquisition targets. The reason the company cared about him deleting materials is because they felt having the materials gave him an unfair advantage over the company, and he allegedly deleted materials not only from the laptop he was using but from the snap server the company provided for storage and backup. IAC wants that confidential material returned to them and they'd also like financial restitution. They'd like a million dollars in punitive damages, plus compensatory damages, as well as disgorgement of pay Citrin received during the period they say he was actually working against them, and they don't want him to be able to use the materials he deleted from the laptop and server against them in business.
The Computer Fraud and Abuse Act Claim
The plaintiffs cited the following sections of the CFAA:
Whoever ... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer... 18 U.S.C. Section 1030(a)(5)(A)(i).
by conduct described in clause (i), (ii), or (ii) of subparagraph (A), caused...18 U.S.C. Section 1030(a)(5)(B).
loss to 1 or more person during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggegating at least $5,000 in value; 18 U.S.C. Section 1030(a)(5)(B)(i).
the term "computer" means an electronic, magnetic, optical, electrochemical, or other high speed data processing devce performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device; 18 U.S.C. Section 1030(e)(1).
the term "protected computer" means... a computer which is used in interstate or foreign commerce or communication.... 18 U.S.C. Section 1030(e)(2)(B).
Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. A civil action for a violation of this section may be brought only if the conduct involves 1 of the factors set forth in clause (i), (ii), (iii), (iv), or (v) of subsection (a)(5)(B). Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are limited to economic damages. 18 U.S.C. Section 1030(g).
Then, they stated that his "willful destruction of IAC's computer and snap server" was a violation of both the criminal and civil provisions of the CFAA, in that he "knowingly caused the transmission of a program, information, code or command, and as a result of such conduct, intentionally caused damage without authorization, to a protected computer within the meaning of the CFAA."
Well. He allegedly destroyed materials on the computer and the server, but it surely isn't accurate to say that he destroyed the computer or the server by deleting materials. That's just silly. They asked for the following relief: an injunction so he wouldn't violate the CFAA any more. That's silly too. They have the laptop and he already deleted all there was on the server. However the rest isn't so silly, viewed from the plaintiffs' standpoint. They asked for an injunction that he be blocked from destroying or disposing of any materials he has in his possession that are actually the property of the plaintiffs and that he be ordered to return it all to them.
Another cause of action had to do with the state of Illinois' Computer Tampering Act. This is an area of law I researched for my boss once, a few years ago, and some of the local statutes are far worse than the CFAA. So it is here. Illinois' law says that it is against to law to insert a program knowing that the program contains information or commands that will or may "alter, delete or remove a computer program or data from that computer". Happily I don't live in Illinois, because I remove programs and data from my computer all the time. I used to do it on company computers too, now that I think of it, because I didn't want certain Windows applications on any computer I used on the Internet. Barring a writing authorizing me to do that, an Illinois employer wishing to cause me trouble could claim I was in violation of that Illinois statute, and he'd be correct. And the plaintiffs here do exactly that, saying the deletion program was "inserted" into the laptop and it altered, deleted and removed data from the laptop and server. Ta da. He's an alleged criminal in Illinois.
You can just use a little logic to see that they are not talking sensibly though. First they claim he destroyed the laptop and the server, and hence he broke the law. And then they ask the court to make him return the "destroyed" materials. It sort of can't be both, so far as I can see. The problem isn't the courts. It's the laws, the way they are written. They are written by folks who don't know enough about computers to fine-tune the statutory language so it isn't so broad it pretty much criminalizes everyone.
The lower court at the District level didn't see it plaintiffs' way. Citrin brought a motion to dismiss, and here's what the District Judge, Wayne R. Andersen ruled on January 31, 2005:
Citrin was an employee and managing director of IAC until October 30, 2003. During his employment, Citrin was responsible for identifying potential properties for acquisition by IAC and directing the acquisition process with respect to such properties. Plaintiffs assert that Citrin breached his contract and fiduciary obligations when he decided to leave his employment and compete with IAC. Plaintiffs allege that Citrin has fraudulently misappropriated IAC opportunities and assets along with confidential and proprietary work product.
Specifically, in relation to the allegations set forth in Count VI, plaintiffs assert that, prior to leaving his employment at IAC, Citrin deleted all of the data contained on the computer and snap backup server that IAC had provided him for his use as as IAC employee and managing director. In addition, IAC alleges that Citrin installed a software program on his computer and snap server that made it impossible for IAC to recover any of the deleted material. As a result of deleting this material and installing a program which prevented IAC from recovering any of the material, plaintiffs claim that Citrin has gained a competitive edge over IAC by having sole knowledge of the contents of the data he erased from his laptop computer and snap server. Based on these allegations, plaintiffs claim that Citrin has violated the CFAA, 18 U.S.C. Section 1030(a)(5)(A).
To state a claim under the CFAA, a plaintiff must allege a knowing "transmission" of a "program, information, code, or command" to "protected computer" which causes damage. 18 U.S.C. Section 1030(a)(5)(A) (2002); Hayes v Packard Bell Nec., 193 F. Supp. 2d 910, 912 (E.D. tex. 2001). Plaintiffs alleges that Citrin's installation of a software program to delete the data and material stored on his individual laptop computer and backup snap server constitutes a violation of the CFAA. We disagree.
Even assuming as plaintiffs have alleged that Citrin "is guilty of gross spoilation in purging the data from the IAC computer and snap server" and that "by destroying the entire content of information contained on the computer and snap server, [Citrin] was clearly attempting to prevent IAC from recovering . . . any evidence of his [alleged] improper conduct" (Amended Complaint, at Paragraph 9), this court concludes that this conduct, as a matter of law, does not constitute a violation of the CFAA. The legislative history for the CFAA explains that the general purpose of the CFAA is to address the problem of computer crime, to protect computers and computer networks from access by hackers and to prevent the transmission of computer viruses or other harmful computer programs. . . .
we find that the installation of a program which is designed simply to delete material only from that individual's computer and snap server does not constitute a "transmission" as contemplated by the CFAA. We do not believe that Congress intended that the simple act of erasing files from an individual laptop computer and backup snap server would trigger liability under the CFAA, and we decline to expand the scope of the Act to include such conduct.
Plaintiff's amended complaint also includes allegations of misappropriation, conversion and alleged violations of the Illinois Trade Secret Act and the Illinois Computer Tampering Act. These allegations may state claims for relief although this court declines to decide those issues. This court, however, does find that the allegations in plaintiffs' amended complaint do not fall within the scope of the CFAA. Based on the facts alleged in the amended complaint, plaintiffs fail, as a matter of law, to state a claim for a violation of the CFAA. Accordingly, we grant Citrin's motion to dismiss Count VI. As the remaining claims in this case are pendant state law claims, we decline to exercise supplemental jurisdiction over those claims.
For the foregoing reasons, defendant's motion to dismiss Count VI is granted, and plaintiffs' amended complaint is dismissed in its entirety.
It is so ordered.
The plaintiffs were not happy with that decision, so they appealed to the U.S. Court of Appeals for the Seventh Circuit, and the Order ended up being written by Judge Posner for the three-judge court of appeals panel, and Judge Posner clearly is not a geek. You can see him struggling to understand what the erase application is that Citrin used and how it works on page 3 of the Order:
We do not know whether the program was downloaded from the Internet or copied from a floppy disk (or the equivalent of a floppy disk, such as a CD) inserted into a disk drive that was either inside the computer or attached to it by a wire. Oddly, the complaint doesn’t say; maybe IAC doesn’t know—maybe all it knows is that when it got the computer back, the files in it had been erased. But we don’t see what difference the precise mode of transmission can make.
In either the Internet download or the disk insertion, a program intended to cause damage (not to the physical computer, of course, but to its files—but “damage” includes “any impairment to the integrity or availability of data, a program, a system, or information,” 18 U.S.C. § 1030(e)(8)) is transmitted to the computer electronically. The only difference, so far as the mechanics of transmission are concerned, is that the disk is inserted manually before the program on it is transmitted electronically to the computer. The difference vanishes if the disk drive into which the disk is inserted is an external drive, connected to the computer by a wire, just as the computer is connected to the Internet by a telephone cable or a broadband cable or wirelessly.
There is the following contextual difference between the two modes of transmission, however: transmission via disk requires that the malefactor have physical access to the computer. By using the Internet, Citrin might have erased the laptop’s files from afar by transmitting a virus. Such long-distance attacks can be more difficult to detect and thus to deter or punish than ones that can have been made only by someone with physical access, usually an employee. The inside attack, however, while easier to detect may also be easier to accomplish. Congress was concerned with both types of attack: attacks by virus and worm writers, on the one hand, which come mainly from the outside, and attacks by disgruntled programmers who decide to trash the employer’s data system on the way out (or threaten to do so in order to extort payments), on the other. If the statute is to reach the disgruntled programmer, which Congress intended by providing that whoever “intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage” violates the Act, 18 U.S.C. § 1030(a)(5)(A)(ii) (emphasis added), it can’t make any difference that the destructive program comes on a physical medium, such as a floppy disk or CD.
You can see when he calls the delete function "a destructive program" that he has concluded that Citrin is attacking, in the sense of a virus or trojan. He's thinking evil hacker. Obviously, he's never used a Mac. In Mac OSX, there is a secure delete option every time you empty the Trash. It's not a hacker tool. It's built right in to the system. People who are not familiar with computers tend to fear them, I've observed, and to view them as a kind of out of control weapon they don't know how to protect themselves from unless they stomp away in all directions at once, just to be on the safe side.
The judge is wrong that we don't know where the program came from. I don't know why he wrote that, because if you read the Plaintiffs' Response to Defendant's Motion to Dismiss, linked to above, you can see that it says clearly on page 9 it was from a CD or disk. Unfortunately, the Motion to Dismiss is not available on Pacer, but if you read the Plaintiffs' Response, you can discern what his arguments were.
And you'll notice that he bases his argument not on the parts of the CFAA that the plaintiffs cited but on 18 U.S.C. § 1030(e)(8). When you see judges helping one side out like that it generally means that they are looking for a way to pin the guilty party, in their estimation. Frankly, if a judge wants to get you, you're going to get got. They know how. Here, plaintiffs had alleged serious harm, and their day in federal court got thrown out when the lower court threw out the CFAA federal claim and with it all the state claims too, which it had to do, being a federal court. The state claims can only be heard by a federal court if there are federal claims too, and when the federal claim got tossed, everything went with it. This appeals court found a way to restore them to federal court. My guess is that they felt there was sufficient harm alleged that they wanted the plaintiffs to have their day in federal court. To do that, all the appeals court had to find was that the plaintiffs had stated a claim, which is a pretty low bar, generally speaking. The ruling opens like this:
This appeal from the dismissal of the plaintiffs’ suit for failure to state a claim mainly requires us to interpret the word “transmission” in a key provision of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030.
That is what the court did, interpret "transmission" to include this defendant's actions. It doesn't mean the defendant will be found guilty. I find that unlikely on the CFAA claim, since the lower court has already expressed what seemed to be a disinclination to do so, and even though the matter was successfully appealed, Judge Posner, writing for the court, isn't the only judge that can look for ways to accomplish what they want to accomplish. And don't leave out of the equation this: on a motion, such as the one Citrin brought to dismiss, the court must accept as true all facts not disproven by the other side. On the appeal, brought by the plaintiffs, it's the other way around. So the order beginning with the second sentence reads like this:
The complaint alleges the following facts, which for purposes of deciding the appeal we must take as true. The defendant, Citrin, was employed by the plaintiffs—affiliated companies engaged in the real estate business that we’ll treat as one to simplify the opinion, and call “IAC”—to identify properties that IAC might want to acquire, and to assist in any ensuing acquisition. IAC lent Citrin a laptop to use to record data that he collected in the course of his work in identifying potential acquisition targets. Citrin decided to quit IAC and go into business for himself, in breach of his employment contract. Before returning the laptop to IAC, he deleted all the data in it—not only the data that he had collected but also data that would have revealed to IAC improper conduct in which he had engaged before he decided to quit. Ordinarily, pressing the “delete” key on a computer (or using a mouse click to delete) does not affect the data sought to be deleted; it merely removes the index entry and pointers to the data file so that the file appears no longer to be there, and the space allocated to that file is made available for future write commands. Such “deleted” files are easily recoverable. But Citrin loaded into the laptop a secure-erasure program, designed, by writing over the deleted files, to prevent their recovery. Thomas J. Fitzgerald, “Deleted But Not Gone: Programs Help Protect Confidential Data by Making Disks and Drives Unreadable,” New York Times (national ed.), Nov. 3, 2005, p. C9. IAC had no copies of the files that Citrin erased.
The provision of the Computer Fraud and Abuse Act on which IAC relies provides that whoever “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer [a defined term that includes the laptop that Citrin used],” violates the Act. 18 U.S.C. § 1030(a)(5)(A)(i). Citrin argues that merely erasing a file from a computer is not a “transmission.” Pressing a delete or erase key in fact transmits a command, but it might be stretching the statute too far (especially since it provides criminal as well as civil sanctions for its violation) to consider any typing on a computer keyboard to be a form of “transmission” just because it transmits a command to the computer.
There is more here, however: the transmission of the secure-erasure program to the computer.
What the appeals court doesn't understand, I think, is that any company laptop really should have a secure delete application, so that confidential materials can't fall into the wrong hands. Stuff should be routinely encrypted too, I believe, because it's just too easy to leave a laptop in a cab or on a plane.
But my point is this: You can see that if the court had to accept all those facts it lists as true, it would tilt against Mr. Citrin. And so it does, as you can see here:
Citrin violated that subsection too. For his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee.
If a court of appeals had heard a disputed motion to dismiss in the SCO v. IBM case, imagine all the mistakes it would inevitably have to make, since the complaint is chock full of what I believe are inaccurate facts that the court, at that stage, would have to accept as true for the purposes of the appeal.
But that doesn't hold for the actual trial, where the jury will decide based not on the appeal of this one issue about "transmission" under CFAA, but on the facts of the case as they see them.
So the case goes back to Judge Andersen and they'll have to go the entire discovery/trial route before we will know the ultimate outcome. That leaves on the table the rather horrifying ruling that deleting files can be a violation of CFAA. Of course, that was true before, if you read the words of the statute. It's true of the Illinois statute too. But the circumstances of a case matter in any determination. What it will turn on is whether he was deleting his own materials, in accord with the agreement which said he was to return or destroy materials on the laptop. He'll argue at trial, no doubt, that he merely opted to delete as per the agreement. A lot will depend on whether he knew when deleting the materials that IAC had no other copies or whether he thought he was just removing his own materials in contemplation of leaving the company. I note that the Amended Complaint doesn't give an exact date for when the termination happened or when all the activities, such as the deleting, happened, so that's another issue. If he deleted while still employed, for example, then IAC can't accuse him of unauthorized access. But if he quit and then later deleted (and if the agreement to destroy or return materials doesn't cover his activities), then they presumably can argue that he had no right to access the laptop at all. Posner seemed to think that way, but that doesn't mean a jury will so find. Here's what Posner wrote on that theme:
Citrin violated that subsection too. For his authorization to access the laptop terminated when, having already engaged in misconduct and decided to quit IAC in violation of his employment contract, he resolved to destroy files that incriminated himself and other files that were also the property of his employer, in violation of the duty of loyalty that agency law imposes on an employee. United States v. Galindo, 871 F.2d 99, 101 (9th Cir. 1989); Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1124-25 (W.D. Wash. 2000); see Restatement (Second) of Agency §§ 112, 387 (1958).
Muddying the picture some, the Computer Fraud and Abuse Act distinguishes between “without authorization” and “exceeding authorized access,” 18 U.S.C. §§ 1030(a)(1), (2), (4), and, while making both punishable, defines the latter as “access[ing] a computer with authorization and . . . us[ing] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” § 1030(e)(6). That might seem the more apt description of what Citrin did.
The difference between “without authorization” and “exceeding authorized access” is paper thin, see Pacific Aerospace & Electronics, Inc. v. Taylor, 295 F. Supp. 2d 1188, 1196-97 (E.D. Wash. 2003), but not quite invisible. In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 583-84 (1st Cir. 2001), for example, the former employee of a travel agent, in violation of his confidentiality agreement with his former employer, used confidential information that he had obtained as an employee to create a program that enabled his new travel company to obtain information from his former employer’s website that he could not have obtained as efficiently without the use of that confidential information. The website was open to the public, so he was authorized to use it, but he exceeded his authorization by using confidential information to obtain better access than other members of the public.
Our case is different. Citrin’s breach of his duty of loyalty terminated his agency relationship (more precisely, terminated any rights he might have claimed as IAC’s agent—he could not by unilaterally terminating any duties he owed his principal gain an advantage!) and with it his authority to access the laptop, because the only basis of his authority had been that relationship. “Violating the duty of loyalty, or failing to disclose adverse interests, voids the agency relationship.” State v. DiGiulio, 835 P.2d 488, 492 (Ariz. App. 1992). “Unless otherwise agreed, the authority of the agent terminates if, without knowledge of the principal, he acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty to the principal.” Id.; Restatement, supra, § 112; see also Shurgard Storage Centers, Inc. v. Safeguard Self Storage, Inc., supra, 119 F. Supp. 2d at 1123, 1125;cf. Phansalkar v. Andersen Weinroth & Co., 344 F.3d 184, 20102 (2d Cir. 2003) (per curiam); Restatement, supra, § 409(1) and comment b and illustration 2.
Citrin points out that his employment contract authorized him to “return or destroy” data in the laptop when he ceased being employed by IAC (emphasis added). But it is unlikely, to say the least, that the provision was intended to authorize him to destroy data that he knew the company had no duplicates of and would have wanted to have—if only to nail Citrin for misconduct. The purpose of the provision may have been to avoid overloading the company with returned data of no further value, which the employee should simply have deleted. More likely the purpose was simply to remind Citrin that he was not to disseminate confidential data after he left the company’s employ—the provision authorizing him to return or destroy data in the laptop was limited to “Confidential” information. There may be a dispute over whether the incriminating files that Citrin destroyed contained “confidential” data, but that issue cannot be resolved on this appeal.
The judgment is reversed with directions to reinstate the suit, including the supplemental claims that the judge dismissed because he was dismissing IAC’s federal claim.
So, the appeals court puts the entire Amended Complaint back on the table, not just the CFAA federal claim. I told you if a court wants to find a way to get you, you're going to get got.
I know if I were on the jury, I'd find it hard to view such a program as a cracker tool, since I use the Mac OSX secure delete option every time I delete anything from trash. So, unlike Judge Posner, I just can't view it as an evil hacker tool, the way he does. However, if the guy deliberately destroyed the materials so as to prevent IAC from being able to compete, and the materials belonged to them and they had no other copy, obviously that isn't right either, and the wording of the CFAA then might well seem to cover what he did. But their other claims under state law are certainly sufficient to deal with that kind of behavior. What happened was, as I see it, a dance to keep it in federal court. That doesn't mean that in the end he'll be found guilty of violating the CFAA necessarily, but it does mean that anyone in the Seventh Circuit now can be, if the circumstances are right. That's the trouble with such laws, actually, when laws are written by nongeeks to try to control geeks, when no one devising the language knows where up is or how to write a law that can't be abused.
On the other hand, if you think about it in meat space terms, it's not so horrifying. If, for example, he had files belonging to the company, paper files, at his home, and instead of returning them either destroyed them or hid them and used them to get business for his new company even though the files consisted of his ex-employer's materials, is it hard to decide that it's wrong to behave that way? If you agree, then why not make it wrong to do the equivalent on a computer? It's not so black and white then, is it?
Anyway, I hope going through all this helps you to breathe a little more normally again, now that you see that the case isn't quite as simple as it sounded at first glance. Furthermore, decisions by the Court of Appeals for the Seventh Circuit apply to the seventh circuit, not the entire country. It is certainly possible that Mr. Citrin will further appeal this decision, for that matter. I know I would.
I hope you see why I'm so thrilled when I hear from readers that they have decided to attend law school. Another reader sent me just such an email last week, actually, and that makes 8 Groklaw members who have decided to become lawyers so far. (I just heard from a 9th, at Harvard Law School.) It really matters to have judges (and lawyers) who understand the tech and don't view computers as scary tools that can do unknown things as if by magic when commanded to by those skilled in black arts.