The U.S. Fifth Circuit recently affirmed a trial court’s verdict that a former bank officer violated the Computer Fraud and Abuse Act (CFAA) when he mass deleted thousand of files from his work computer shortly before departing. Iberiabank v. Broussard, Case No. 17-30662 (5th Cir. 10/25/2018).
Background. In early 2013, IberiaBank announced a merger with a smaller regional bank, Teche Federal Bank of New Iberia. Several months later, after the merger was complete, IberiaBank discovered that a former senior Teche bank officer deleted thousands of computer files in the lead-up to the merger. At the time, the bank officer was pursuing employment with an IberiaBank competitor for himself and several other bankers whom he supervised, a scheme that IberiaBank later pieced together with the help of forensics on the bankers’ computers.
Trial Court Decision. IberiaBank brought suit against the bank officer, claiming that he violated the CFAA by unlawfully deleting data from Teche and IberiaBank servers and bringing state law claims based on fiduciary duty breaches and trade secret theft. On the CFAA claim, the trial court found that the bank officer violated the CFAA because he lacked authority to delete files from the bank’s network drives and caused damages that exceeded the CFAA-threshold of $5,000.
Fifth Circuit Decision. The Fifth Circuit affirmed the trial court’s decision, applying Section 1030(a)(5)(A) of CFAA that, according to the Fifth Circuit, “prohibits intentionally damaging a computer system when there was no permission to engage in that particular act of damage.” The Fifth Circuit held that a mass deletion of data can legally qualify as “damaging a computer system” and emphasized that the question of authorization is a factual one, best left for the trial court to decide. Because there was sufficient evidence to support the trial court’s decision and the law was correctly applied, the Fifth Circuit left the trial court’s decision intact.
* Jones Walker, LLP represented IberiaBank at trial and on appeal.