Texas wants to charge systems admins with hacking

US court in texas

US court in texas

Systems administrators in Texas could suddenly find themselves locked up if case law accepts a recent decision by 12 Texas jurors.

Sys Admin Michael Thomas, 37 was found guilty under the Computer Fraud and Abuse Act, a verdict with a maximum sentence of 10 years in prison and up to $250,000 in restitution.  What the court heard though was that Thomas had deleted files before leaving his job at the auto dealership software firm ClickMotive in 2011.

According to Wired the prosecution presented evidence that Thomas intentionally harmed ClickMotive by combing through executives’ email, tampering with the network’s error-alert system, and changing authentication settings that disabled the company’s VPN for remote employees. He also deleted 615 backup files and some pages of an internal wiki.

However Thomas’ lawyer Tor Ekeland has pointed out, that was Thomas’s job. He added that Thomas wasn’t charged with the usual CFAA violation of “unauthorized access” or “exceeding authorized access,” but rather “unauthorised damages.” Ekeland said that the law is “dangerous for anyone working in the IT industry. If you get in a dispute with your employer, and you delete something even in the routine course of your work, you can be charged with a felony.”

ClickMotive, which was later acquired by the larger auto dealership software firm DealerTrack, claims that those changes caused $140,000 in damages as they struggled to determine the extent of Thomas’s tampering.

The prosecutor claimed that Thomas wanted to harm ClickMotive as revenge after two of his fellow IT staffers were laid off. However as his defense pointed out seems to have at least stopped far short of maximizing the amount of damage he could do.

Thomas went into the company’s offices the weekend before he quit—just days after those layoffs—to help defend the company against a denial-of-service attack on its website and to repair a cascading power outage problem.

Those 615 backup files he deleted were all replicated elsewhere on the network. There was not a single communication produced at trial, a single written document that showed he wasn’t authorized to do what he did, claimed Ekeland.

All it took was your boss to say ‘that wasn’t authorized,’ you violated an unwritten policy, and bang, you’re hit with a felony.”

The Electronic Frontier Foundation attorney Nate Cardozo points to the prosecution as a dangerous use of the law, and one that should have been settled with a civil lawsuit.

Thomas’s defence team says they plan to ask the judge in the trial to overrule the jury under a Rule 29 motion, and if that fails, to seek an appeal.