“Upset that a coworker had been fired, Thomas[, a network adminstrator,] embarked on a weekend campaign of electronic sabotage.” He was successfully prosecuted under the Computer Fraud and Abuse Act, which criminalizes conduct that “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” Thomas, citing his network administration responsibilities, argued that “because he was authorized to damage the computer when engaging in [certain] routine tasks, any damage he caused while an employee was not ‘without authorization.’” The Fifth Circuit rejected this argument, noting – in addition to obvious practical issues – that the case law Thomas relied on about “authorization” involved liability under other CFAA provisions about computer access, rather than this provision about causing damage. This case is of general interest to civil litigation, both because CFAA violations can create civil liability, and because unfortunate admissions can have significant consequences:
Just a couple weeks after the damage spree, and before the FBI had contacted Thomas, he told the friend whose firing had set this in motion that “he thought he might have broken the law.” Which law, the friend inquired? Thomas’s response: “the Computer Fraud and Abuse Act.”
United States v. Thomas, No. 16-41264 (Dec. 11, 2017).