U.S. Fifth Circuit - The FindLaw 5th Circuit Court of Appeals Opinion Summaries Blog

Court Upholds Conviction of Angry IT Guy for Damaging Computer System

Everybody knows that the IT guy can make or break a computer system.

Everybody also knows he's not supposed to break it on purpose. Michael Thomas, however, apparently didn't get that memo.

Thomas, chief technology officer for a software company, said he had permission to damage the system. In United States of America v. Thomas, the jury and the courts said, "uh, no."

Electronic Time Bomb

Thomas was working for ClickMotive, a software and web hosting company, when he found out a coworker had been fired. Upset over it, he deleted more than 600 files, disabled backup operations, diverted executive emails to his personal account, and planted an "electronic time bomb."

He set the bomb to prevent employees from remotely accessing the company's network after he resigned. Sure enough, it blew up and the company spent more than $130,000 cleaning up the mess.

A jury convicted him of "knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer" under 18 U.S.C. Section 1030(a)(5)(A).

Thomas appealed, arguing that he was "authorized" to delete files and thus "damage" the system. The U.S. Fifth Circuit Court of Appeals rejected the argument.

"Without Authorization"

The appeals court said his reading of "authorization" was contrary to the statutory language and the legislature's intent: "We conclude that Section 1030(a)(5)(A) prohibits intentionally damaging a computer system when there was no permission to engage in that particular act of damage."

The judges also said it was inconceivable that a company would authorize any employee to blow up its computer system.

"No reasonable employee could think he had permission to stop the system from providing backups, or to delete files outside the normal protocols, or to falsify contact information in a notification system, or to set a process in motion that would prevent users from remotely accessing the network," the panel said.

Related Resources: