This post is a follow-up to a post I did last October: The Computer Science Student, Authorization and the University. It examined the opinion in which the U.S.District Court Judge who was assigned the prosecution of Daniel Stratman for
violating the Computer Fraud and Abuse Act (CFAA) rejected his motion to
dismiss two of the counts against him. U.S. v. Stratman, 2013 WL 5676874 (U.S. District Court for the Northern District of Nebraska 2013) (“U.S. v. Stratman #1”).
The counts
charged Stratman with violating 18 U.S. Code § 1030(a)(5)(A), which makes it a
federal crime to knowingly cause transmission of a program, code or command and
thereby cause damage to a protected computer.
U.S. v. Stratman #1, supra. The
judge denied the motion to dismiss because authorization and access are not
elements of the 18 U.S. Code § 1030(a)(5)(A) crime. U.S. v. Stratman #1, supra.
You can read more about the facts in the case here.
That brings us to the opinion the judge recently issued in
the same case. He begins by explaining
that the case was before him with regard to the
loss calculation
for purposes of sentencing. [Stratman] pleaded guilty to one count of violating
. . .18 U.S. Code § 1030(a)(5)(A) . . . based on an intrusion into a protected
computer system or systems that began in approximately May 2012. As directed by
the Court . . ., the parties submitted a statement of uncontroverted facts . .
. and a hearing was held at which
evidence was adduced and submitted of losses allegedly incurred by the two
primary victims in this case: the University of Nebraska and the Nebraska
State College System.
U.S. v. Stratman,
2014 WL 3109805 (U.S. District Court for the District of Nebraska 2014) (“U.S. v. Stratman, #2”). You can read about how Stratman came to plead guilty here.
The judge explained that the loss calculation at issue in
this case has
two primary purposes. First, in
determining the offense conduct, the offense level is increased based on the
amount of the loss. U.S.S.G. § 2B1.1(b)(1). Second, in the case of an
identifiable victim, the Court shall enter a restitution order for the full
amount of the victim's loss. U.S.S.G. § 5E1.1; see also 18
U.S.C. § 3663A(a)(1) and (c)(1)(B). The Court recognizes that
although the gross amounts of loss for sentencing purposes and loss for
restitution purposes are often calculated in the same manner, the two
determinations serve different purposes and thus may differ depending on the
relevant facts. U.S. v. Lange, 592 F.3d 902 (U.S. Court of Appeals for the 8th Circuit 2010). But as will be explained below, the Court
finds that the loss that has been proven in this case is the same for both
purposes.
U.S. v. Stratman, #2,
supra. The “U.S.S.G.” references are to provisions
of the U.S. Sentencing Guidelines, which control sentencing in the federal
criminal justice system. And 18 U.S.Code § 3663A is the federal statute that addresses mandatory restitution to
victims of federal crimes. The document you can find here explains the purpose
of and the process of imposing mandatory restitution in federal criminal cases.
The judge goes on to explain that the burden is on the
government to prove the factual
basis for a sentencing enhancement by a
preponderance of the evidence. U.S. v. Peroceski, 520 F.3d 886
(U.S. Court of Appeals for the 8th Circuit 2008). For purposes of [U.S.S.G.]
§ 2B1.1(b), loss is calculated as the greater of the actual or intended loss.
Actual loss is defined as the `reasonably foreseeable pecuniary harm that
resulted from the offense.’ § 2B1.1 cmt. n. 3(A)(i). And `reasonably
foreseeable pecuniary harm’ is further defined as that harm the defendant knew,
or under the circumstances, reasonably should have known, was a potential
result of the offense. Id. cmt. n. 3(A)(iv). Intended loss, by
comparison, includes any `pecuniary harm that was intended to result from the
offense,’ including harm that was `impossible or unlikely to occur.’ Id. cmt.
n. 3(A)(ii). Ultimately, this Court needs to make a `reasonable estimate of the
loss.’ Id. cmt. n. 3(C); U.S. v. Rice, 699
F.3d 1043 (U.S. Court of Appeals for the 8th Circuit 2012).
The government also has the burden to
demonstrate the amount of loss for purposes of restitution by a preponderance
of the evidence. 18 U.S. Code § 3664(e). Restitution is compensatory, not
punitive, and in a fraud case, it is limited to the actual loss directly caused
by the defendant's criminal conduct in the course of the scheme alleged in the indictment.
U.S. v. Chaika, 695 F .3d 741 (U.S. Court of Appeals for the 8th Circuit 2012). The amount of restitution cannot exceed the actual, provable loss
realized by the victims. U.S. v. Martinez, 690 F.3d 1083 (U.S. Court of Appeals for the 8th Circuit 2012). Restitution may only be awarded for
the loss caused by the specific conduct that is the basis of the offense of the
conviction. U.S. v. DeRosier, 501 F.3d 888 (U.S. Court of Appeals for the 8th Circuit 2007). And the causal connection between the
defendant's acts and the victim's losses must not be unreasonably
extended. U.S. v. Spencer, 700 F.3d 317 (U.S. Court of Appeals for the 8th Circuit 2012).
But for violations of the CFAA, the
victim's `loss’ may include `any reasonable cost to any victim, including the
cost of responding to an offense, conducting a damage assessment, and restoring
the data, program, system, or information to its condition prior to the
offense, and any revenue lost, cost incurred, or other consequential damages
incurred because of interruption of service[.]’ 18 U.S. Code § 1030(e)(11).
U.S. v. Stratman, #2,
supra.
He then took up the issues in this case, explaining the
losses at issue involve the
costs of investigating [Stratman’s]
intrusion into the victims' computer systems. There is . . . no
evidence the victims incurred meaningful costs repairing damage
to their systems. Instead, the evidence relates to the substantial time and
expense that the victims incurred investigating the breach after it was
discovered, and in attempting to ascertain the scope of their exposure.
The bulk of the costs are in four
categories: hours worked by University information technology (IT) department
workers in response to the breach; similar hours worked by State Colleges IT
workers; the cost of investigative services provided by Fishnet Services, Inc.,
a third-party IT consultant hired by the University; and the cost of
investigative services provided by Kroll Advisory Solutions, a third-party
consultant hired by the State Colleges' insurance company.
U.S. v. Stratman, #2,
supra (emphasis in the original).
The judge also noted that the costs incurred
must be reasonable. .
. . The CFAA defines `loss’ in terms of `reasonable cost,’ and it cannot be
said that unreasonable expenses are either caused by the offense of conviction
for purposes of restitution . . . or
reasonably foreseeable within the meaning of § 2B1.1. The Court
agrees with [Stratman] that part of the government's burden of proving loss for
purposes of sentencing and restitution is showing that the costs incurred by
the victims were reasonably incurred.
U.S. v. Stratman, #2,
supra (emphasis in the original).
The judge then began his analysis of the costs at issue in
this case
with the easy part: [Stratman] has not
objected to the University's Fishnet bills, with the exception of some
reservations about whether some of those bills involved double counting. The
Court has reviewed Fishnet's invoices (Exhibits 13 to 19) carefully and found
that each line item was unique, and that the total matched that represented by
the University in Exhibit 7. The Court therefore finds the Fishnet bills
represent losses for purposes of sentencing and restitution, totaling
$107,722.58.
U.S. v. Stratman, #2,
supra.
He then explained, however, that the
same cannot be said of the Kroll invoices.
The government's witnesses -- primarily University employees -- were clear
about why Fishnet was hired and what Fishnet's services eventually produced for
the University. Kroll was initially retained to help the State Colleges, but
soon they and their insurer agreed to share the Fishnet forensic analysis with
the University. The lion's share of Kroll's billing -- over $308,000 . . . -- is
attributed to notification services, i.e., informing people
whose personal information might have been compromised. But the Court cannot
determine why that was so expensive for the State Colleges, or how it was
determined that approximately 185,000 people needed to be notified.
The government has provided affidavits
from two Kroll employees, and one employee of the insurer that hired Kroll,
which generally describe the contents of Kroll's invoices and conclude that the
services and expenses were fair and reasonable.
But the Court does not find those conclusory opinions persuasive.
Kroll's forensic analysis (which was
presumably cut short when Fishnet became the primary investigator) essentially
concludes there was no evidence of exfiltration or access to personal
information from the PeopleSoft database, but it was hard to be sure. See Exhibit
28. The only apparent source for the number of people to be notified, 185,000+,
is also in Exhibit 28 -- an `audit’ that was conducted by Kroll `to re-mail any
records that mailed in error.’ (Whatever that means.) The import of the audit,
as the Court understands it after puzzling over it for a bit, seems to be that
some of the 185,000+ client records were duplicated, and only 117,845 were
actually unique.
So in Exhibit 31, Kroll's employee
witness talks about Kroll's services including `the facilitation of mailing
letters to each of approximately 185,000 potential victims of the breach,’ but
the only substantiation in the record for that number is an audit that
contradicts it. In sum, the Court is left with considerable uncertainty about
how many people the State Colleges actually needed to notify, how many actually
were notified, and how the costs for doing so were determined. Given that
uncertainty, the Court finds that the reasonability of those expenses has not
been proven.
U.S. v. Stratman, #2,
supra.
He had “similar questions” about the employee hours devoted to the
intrusion by employees of the
University and the State Colleges. No doubt an appropriate response was
necessary -- and in the immediate wake of the breach, `all hands on deck’ might
well have been warranted. But at some point, after [Stratman] was locked out
(and quickly indicted), the actual depth of the intrusion would have been
clear, and an all-out effort would no longer have been necessary. . . .
The record . . . does not permit the
Court to determine what the victims knew and when they knew it, nor does it
permit the Court to compare the victims' knowledge with the intensity of their
ongoing efforts related to the breach. The record also contains very little
from which the Court could determine the victims' employees performed with
reasonable efficiency and were compensated at a reasonable rate. The
victims' calculations for costs attributed to employee hours consist of the
time spent on tasks associated with the breach, multiplied by that employee's
hourly wage.
But, for instance, if the Court was
awarding attorney fees, the Court would have to ask what tasks were performed,
whether the number of hours spent on each task was appropriate, and whether the
attorney's billing rate for performing the task was fair and
reasonable. The Court does not see why similar questions should not be
asked under these circumstances -- and . . . cannot find the answer in the
record.
U.S. v. Stratman, #2,
supra.
The judge also pointed out that it “is also not entirely
clear” whether
all those hours are attributable to
the defendant for purposes of sentencing and restitution. For
instance, the University's former information security officer testified that some of that time was spent implementing recommendations from the Fishnet
report, and `cleaning up some of the incidents.’ He did testify that all the
activities reflected in the government's evidence were `related to’ [Stratman’s]
intrusion. But that may or may not be the same as `caused by’ [his] intrusion.
A simple example will illustrate the
point. A homeowner has a broken lock on her front door. A thief finds out and
uses the vulnerability to enter the home and steal property. The losses from
that crime include the value of the stolen property. They might even include
investigating the crime. But they would not include repairing the lock, which
was broken before the thief ever came along. The repair might be `related to’
the theft, because the theft called attention to the vulnerability. But the
thief didn't break the lock, and wouldn't have to pay to fix it.
U.S. v. Stratman, #2,
supra (emphasis in the original).
He went on to explain that, “[s]imilarly,” the victims in
this case
no doubt learned, from [Stratman’s]
intrusion, about vulnerabilities in their computer systems. But [he] is not
responsible for creating those vulnerabilities, and isn't liable for the cost
of fixing them—or, more to the point, those costs are not the result of the
offense of conviction. It is hard for the Court to conclude, on the evidence
presented, that over 3,600 hours of employee time was a foreseeable consequence
of the crime.
And from the evidence presented, the
Court cannot parse out how much time the victims' employees spent securing the
system from [Stratman] specifically, and how much time they spent addressing
the vulnerabilities he had called to their attention. The victims' exhibits
reflect dozens of employees spending thousands of hours on tasks that are
mostly unclear from the record. The only evidence to connect most of those
hours to [Stratman] is that they were recorded with a project billing code that
was created in response to the breach, and that the employees were verbally
instructed to use for `anything related’ to [his] intrusion.
For instance, one of the government's
primary witnesses -- the University's former information security officer -- was
listed in the government's exhibits as having spent 351 hours on the project
initiated by [Stratman’s] breach. But he was unable to say specifically how
long he continued to log time on the project, other than that his `best guess’
was that he was working on the project through October.
And there is even less evidence with
respect to other employees and how they were spending their time -- the
summaries provided by the victims, and adduced by the government, simply total
the hours worked by each employee between May 20, 2012, and June 4, 2013. The
breach was detected by the University on May 23–24, 2012, and even if the Court
was willing to presume the hours spent on the project in the immediate wake of
the breach were sufficiently connected to [Stratman’s] crime . . ., there is no
way for the Court to determine . . . how many hours were worked during that
timeframe. That, the Court finds, is insufficient evidence to
prove which hours represent losses that can be causally
connected to [his] crime for purposes of sentencing and restitution. The
Court has no basis to estimate, or even guess, at how many hours would be
attributable to the defendant—any attempt to pick a number would be
unsatisfactorily arbitrary.
Finally, there is some evidence of
other expenses -- for example, the EnCase forensic analysis tool the University
purchased to help investigate the breach. While the Court has no particular
reason to doubt those expenses, there is also little to establish that they
were reasonable or necessary. It is also unclear whether the victims' purchases
are of ongoing utility to them, which would preclude characterizing the entirety
of those costs as `losses’ for purposes of sentencing and restitution.
U.S. v. Stratman, #2,
supra (emphasis in the original).
He concluded the opinion by summing up his findings and
conclusions:
[T]he Court finds that except for the
Fishnet invoices, the evidence is not sufficient to prove the victims' costs
were `losses’ for purposes of sentencing and restitution. The Court also finds
that inquiring further into restitution would . . . prolong the sentencing
process to a degree that the need to provide restitution is outweighed by the
burden on the sentencing process. See, 18 U.S.C. §
3663A(c)(3)(B); U.S. v. Martinez, supra. The Court therefore
exercises its discretion pursuant to § 3663A(c)(3)(B) and declines to
award further restitution.
The Court's experience with this case
convinces it . . . that the issues presented by loss calculation have already complicated and prolonged the
sentencing process. Were it not for the unavoidable need to make some
reasonable approximation of the loss for purposes of the Sentencing Guidelines,
the Court would not have ventured as far into the weeds as it already has.
But at this point, [Stratman’s]
sentencing has been repeatedly continued at the request of the parties, the
sentencing schedule has been repeatedly rescheduled at the request of the
parties (and is about to be again on the Court's own motion), and the parties
have been required to participate in a discovery process unusual for a criminal
sentencing. The Court is convinced the record as it stands is as much as can be
expected from a criminal case, and that the complex issues of fact discussed
above are too complicated to warrant further delay. See U.S. v. Martinez, supra.
U.S. v. Stratman, #2,
supra.
The judge therefore held that “based on the evidence before the
Court, the appropriate loss calculation figure, for purposes of sentencing and
restitution, is $107,722.58.” U.S. v. Stratman, #2, supra.
No comments:
Post a Comment