I have written before about employees going ballistic on their bosses' computer systems and the risks employers face in these situations. A recent case out of a federal court in Illinois (Wong & Assoc. v. Nichols, No. 07C6277, Jan. 16, 2008) discusses the application of a federal legal remedy, the Computer Fraud and Abuse Act, or CFAA, that can be applied in both a criminal (read that as U.S. Attorney, federal judge, federal prison type of situation) and a civil one, where you merely get sued for money damages. However, the statute has some fairly specific requirements that have to be shown before bringing down the wrath of the federal government on one of your employees for misconduct.
In this case, the employer brought a CFAA action against a former employee who walked out with confidential company information that he had taken off the company's computer system. That's all he did -- copied information down and left. He didn't try to hide his theft by wiping his hard drive, stealing a computer system, or any other nefarious act.
In tossing out the CFAA cause of action, the court noted that the statute requires both that there be "damage" to the computer system (defined as impairment to the integrity or availability of data, a program, a system or information) and "loss" (defined as any reasonable costs to the victim incurred in responding to an offense, or suffered as a result of the interruption of service). The court said that simply taking the data, without damaging the computer system and causing lost revenue as a result, was not a violation of the CFAA and dimissed the case.
My experience is that cyber thieves are normally not content to simply copy data out of their systems for their own purposes. Typically, they try to hide it by deleting files, erasing drives, or removing pieces of hardware. Under these circumstances, which are similar to the case mentioned in an earlier post here, the CFAA undoubtedly applies as long as the employer can show some cost of repair or restoration