Last week, a federal judge sentenced Yijia Zhang, a computer systems manager, to 31 months in federal prison for transferring thousands of his employer’s electronic files to European storage sites.  The case highlights the potential power of an overlooked clause of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

The prosecution was under the “Unauthorized Damage to a Protected Computer” clause of the CFAA, which creates criminal liability for “[w]hoever. . . knowingly causes the transmission of. . . information. . .and as a result. . . intentionally causes damage without authorization, to a protected computer.” 18 U.S.C. § 1030(a)(5)(A) (emphasis added).

In a press release, the U.S. Attorney’s office admitted[1] that it did not have some of the evidence one might expect in a CFAA case.  There was “no evidence that the files had been passed to anyone else,” no evidence “that any of the information had been used to harm the company,” and “no customer information was taken.”  There was, however, evidence of damage to the company’s servers.  When Mr. Zhang allegedly deleted files from a server to cover up his transfer, he “caused the server to stop working and its log files to be overwritten.”

Charging Mr. Zhang for “Damage to a Protected Computer” is a departure from the more widely used CFAA clauses under which the prosecution must prove the employee “knowingly accessed a computer without authorization” or exceeded “authorized access.”  18 U.S.C. § 1030 (a)(1), (a)(2).  As we have reported,[2] it has become harder for prosecutors to prevail in such cases when employers gave employees access to the data.  As those cases get harder to make, you can expect more cases like U.S v. Zhang.

[1] http://www.justice.gov/usao-edpa/pr/judge-sentences-defendant-violation-computer-fraud-and-abuse-act

[2] https://www.dataprivacyandsecurityinsider.com/2015/12/computer-fraud-and-abuse-act-update-second-circuit-sides-with-a-narrower-reading-2/