If you're a systems administrator working in the United States, a recent decision from 12 Texan jurors should give you a moment of pause before you next hit the delete key.

On Wednesday last week, a jury in the trial of 37-year-old Michael Thomas found him guilty of violating the Computer Fraud and Abuse Act, a verdict with a maximum sentence of 10 years in prison and up to $250,000 in restitution payments. But unlike the typical convictions under that controversial and vague computer hacking law, Thomas can hardly be called a hacker: He's accused of deleting a collection of his employer's files before leaving his job as a systems administrator at the auto dealership software firm ClickMotive in 2011. And critics of the CFAA say that Thomas's prosecution—and now conviction—reveal a dangerous facet of the law that allows an IT staffer to be charged with a felony for simply doing something that their employer deems to be "damaging."

As Thomas' lawyer Tor Ekeland has pointed out, Thomas wasn't charged with the usual CFAA violation of "unauthorized access" or "exceeding authorized access," but rather "unauthorized damages," an even murkier element of the law that acknowledges Thomas's job gave him full authorized access to ClickMotive's systems. Thomas's guilty verdict, argues Ekeland, is "dangerous for anyone working in the IT industry. If you get in a dispute with your employer, and you delete something even in the routine course of your work, you can be charged with a felony."

Prosecutors in the Eastern District of Texas, where Thomas was tried, called the case a victory. "The jury's verdict in this case sends an important message to IT professionals everywhere: an employee in the defendant's position holds the proverbial keys to the kingdom and with that power comes great responsibility," wrote U.S. Attorney Bales in a press statement. "Intentionally causing damage to a computer system without authorization is a criminal act that can and will be prosecuted."

The court should not be delegating the drafting of criminal law to the people who write employment contracts. Defense Attorney Aaron Williamson

Over Thomas's three-day trial, the prosecution presented evidence that Thomas intentionally harmed ClickMotive by combing through executives' email, tampering with the network's error-alert system, and changing authentication settings that disabled the company's VPN for remote employees. He also deleted 615 backup files and some pages of an internal wiki. "When he did this act with the intent to mess with his company, that rose to the level of a criminal act," says assistant U.S. attorney Camelia Lopez, one of the prosecutors in the case. "It wasn't accidental…and it was beyond the scope of normal practices and procedures."

ClickMotive, which was later acquired by the larger auto dealership software firm DealerTrack, claims that those changes caused $140,000 in damages as they struggled to determine the extent of Thomas's tampering. And under the CFAA, any damages above $5,000 constitute a felony. "The fact that [Thomas] let this fire burn is the reason we pursued the case," says Lopez.