For HR professionals and employment lawyers, the following is not an uncommon scenario—employee uses personal smart phone for business purposes at employer; employer terminates employee; employer then remotely wipes all data (including personal data) from employee’s phone; employee complains, alleging that employer was not authorized to delete the data. But does this scenario rise to the level of a violation of the Computer Fraud and Abuse Act (“CFAA”)? In Rajaee v. Design Tech Homes (Civil Action No. H-13-2517), the United States District Court for the Southern District of Texas answered that question “no.”
There, the Plaintiff, Saman Rajaee, had used his personal iPhone to connect to Design Tech Home’s Microsoft Exchange Server, allowing him to remotely access his work email, contact manager, and calendar. Shortly after his termination, Design Tech Homes remotely wiped Rajaee’s iPhone, restoring its factory settings and deleting the device’s data—including all personal data.
Rajaee, in turn, sued Design Tech Homes, alleging that the remote wipe was not authorized by an agreement or company policy and, consequently, violated the CFAA. The damages Rajaee purported to have suffered were not insignificant: (1) $50,000 in the lost value to a home remodel project resulting from the deletion of pictures of the project; (2) $50,000 due to diminished employability resulting from deletion of contacts generated after 2009; (3) $3,500 in lost family and personal photos; (4) $1,000 worth of deleted text messages; and (5) $600 in missing notes and email accounts. Unfortunately for Rajaee, these were not the right kind of damages for a CFAA claim.
Design Tech Homes sought summary judgment arguing, among other things, that Rajaee’s purported damages do not qualify as a “loss” cognizable under the CFAA. The Court agreed. The Court noted that “[t]he term ‘loss’ encompasses two types of harm: costs to investigate and respond to an offense, and costs incurred because of a service interruption.” Because Rajaee’s alleged damages did not fall into either category of harm, the Court found he did not suffer a “loss” sufficient to meet the $5,000 threshold under the CFAA. As a result, the Court granted summary judgment dismissing that claim.
Given the difficulty of CFAA claims, the Court’s decision is not unexpected. But did the Court get it right? Is the definition of loss used by the Court consistent with the text of the CFAA? For the viability of a CFAA claim, should it matter whether the employer had a BYOD (Bring Your Own Device) policy?