As I noted in a relatively recent post, restitution is compensation a convicted offender pays to his/her victim, after being ordered to do so by a court. As I also noted in that post, unlike civil damages, restitution is considered to be punitive, i.e., is part of the sanctions imposed on one who has been convicted of a crime. If you want to read a little more about restitution in general, check out that post.
This post is about a recent decision from the Court of Appeals for the 1st Circuit in which the court addressed the propriety of a restitution order entered by a court in a federal case involving computer crime. More precisely, the case involved a prosecution brought under the general federal computer crime statute: 18 U.S. Code § 1030.
Since the conduct that gave rise to the charges occurred in 2006 and 2007, the prosecution was brought under the version of the statute as it existed before it was revised in September 2008. The link above takes you to that version. If you want to see the current version of 18 U.S. Code § 1030, you can find it here.
The defendant in the case is Francis Janosko and here, according to the statement of facts in the brief he filed on appeal, is how it arose and what it involved:
Janosko, a pretrial detainee being held on state charges at the Plymouth County Correctional facility (`PCCF’), had access to a computer at PCCF that carried a legal research program. This legal research program was made available to inmates at PCCF, but the computers were intended to give inmates access to the research program only. Inmates were not given access to the internet, electronic mail, or other similar programs.
Janosko availed himself of the prison computer and managed to penetrate its firewall. In so doing, he gained at least limited internet access and access to other databases on PCCF's computer system. This included a file that contained personal data about a number of PCCF employees and job applicants.
At the guilty plea hearing government counsel stated that:
`[O]ne of [the things Janosko did] was to access a report that was on the computer system that had the names, dates of birth, Social Security numbers, addresses, home addresses, telephone numbers and past employment history of over 1100 current and former Plymouth County Correctional Facility employees, including guards, and applicants as well.’
Regarding the personal information Janosko accessed, the government proffered that:
`[T]here is no evidence Janosko used the employee and applicant information to harm anyone. The people whose names were listed in the report were notified, any suspicions of identity theft were investigated and looked into to see if they could be traced to Janosko, and there was not evidence of any such theft, there were no reports of any threats that were made to any of the people who were on that.’
Government counsel did not proffer that Janosko moved this file to an insecure portion of the computer system where it might be viewed by other inmates or otherwise shared this personal information with other inmates, and Janosko did not admit at his plea hearing that he shared or disseminated this personal information. The damage to PCCF's computers included Janosko's alteration of a computer password and his attempts to turn off a firewall on Internet Explorer and to change permissions on the domain controller.
Brief for Appellant, U.S. v. Janosko, 2010 WL 3298928 (2010).
According to the 1st Circuit’s opinion, Janosko was indicted and pled guilty to “causing damage to a protected computer, 18 U.S. Code § 1030(a)(5)(A)(i), thereby causing loss to one or more persons, § 1030(a)(5)(B)(i) and damage affecting a computer system used in the administration of justice, § 1030(a)(5)(B)(v).” U.S. v. Janosko, __ F.3d __, 2011 WL 1366436 (1st Cir. 2011).
His plea agreement
left any amount of restitution to be determined by the court, which awarded the county $4,309 for the cost of purchasing elements of the system needed to replace those damaged by Janosko and retained as evidence, and $6,600 for the cost of monitoring credit records of the individuals who suffered the privacy violations and consequent risk of identity theft.
U.S. v. Janosko, supra.
At sentencing, Janosko “objected to the order to reimburse for the credit enquiries, arguing that they did not proximately result from the acts of damaging the computer and computer system.” U.S. v. Janosko, supra. On appeal, he added “the further objection that the government failed to show that the credit checks were made close enough in time to the destructive conduct to qualify for restitution.” U.S. v. Janosko, supra.
The 1st Circuit began its analysis of Janosko’s arguments by noting that he was “entirely correct that the cost of the credit monitoring is not what the statute defining the crimes calls `damage . . . to a protected computer,’ § 1030(a)(5)(A)(i), or `damage affecting a computer system,’ § 1030(a)(5)(B)(v).” U.S. v. Janosko, supra. Section (e) of § 1030 defines terms used in the statute. Section 1030(e) defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information”. In agreeing with Janosko on this point, the 1st Circuit was accepting his argument that the “dissemination of information accessed does not constitute `damage’ under” § 1030. U.S. v. Janosko, supra; Brief for Appellant, U.S. v. Janosko, supra.
But the Court of Appeals also pointed out that Janosko “pleaded guilty not only to causing such “damage” but also to causing “loss” by his damaging conduct, § 1030(a)(5)(B)(i). U.S. v. Janosko, supra. Section 1030(11) defines “loss” as
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service. . . .
After quoting that definition, the 1st Circuit explained that by
thus exemplifying `loss’ as an element of one of the offenses charged against Janosko, a `reasonable cost . . . of responding’ goes hand in hand with the terms of the restitution statute. The Mandatory Victims Restitution Act mandates restitution to the victim (here, without dispute, at least the county) `in any case . . . [for] expenses incurred during . . . the investigation or prosecution of the offense.’ 18 U.S. Code § 3664A(b)(4).
While `expenses’ qualifying for restitution are not unlimited, like the notion of response under § 1030(e)(11), they will pass muster if they would not have been incurred in the absence of the offense, . . . were `not too attenuated’ in fact or time from the crime, . . . and were reasonably foreseeable. . . . The cost of the credit check qualified under these criteria as a reasonable expense, cost of response, and thus compensable loss.
U.S. v. Janosko, supra (citations omitted).
The 1st Circuit elaborated a bit as to why this result was correct:
It should go without saying that an employer whose personnel records have been exposed to potential identity thieves responds reasonably when it makes enquiry to see whether its employees have been defrauded. This act of responsibility is foreseeable to the same degree that indifference to employees' potential victimization would be reproachable.
It is true, of course, that once they were told of the security breach, the individual employees and former workers involved in this case could themselves have made credit enquiries to uncover any fraud, but this in no way diminishes the reasonableness of the Facility's investigation prompted by the risk that its security failure created. And quite aside from decency to its workers, any employer would reasonably wish to know the full extent of criminality when reporting the facts to law enforcement authorities.
U.S. v. Janosko, supra.
Finally, the Court of Appeals addressed – and rejected – Janosko’s second argument as to why the order of restitution was improper:
Nor do we see anything helpful to Janosko in his argument that the government failed to present evidence that the credit check was reasonably timely, as [U.S. v. Vaknin, 112 F.3d 579 (1st Cir. 1997) held it must be. It is quite true that the prosecution ignored this point when the court was considering restitution, but so did Janosko, who apparently never raised an issue of timeliness until filing the brief in this Court. . . .
[W]e think that any enquiry into the credit records prior to negotiation of the plea in this case would have been timely for at least one purpose. Regardless whether the employees were `victims’ under the statute and thus entitled to mandatory restitution, see § 3663A(a)(2) (defining `victim’ as `a person directly and proximately harmed) . . . , a plea agreement may provide for restitution to anyone harmed even if not technically a victim, [18 U.S. Code § 336A(a)(3)]. An employer-victim contemplating the resolution of a charge like the one here could be expected to press the prosecutor to demand any terms that would be necessary to make the members of the employer's workforce whole, and a credit check even up to the moment of a plea agreement would therefore be timely.
U.S. v. Janosko, supra. The court therefore affirmed the order of restitution. U.S. v. Janosko, supra.