After a jury convicted Robert Steele on “fourteen counts of
unauthorized access of a protected computer under the Computer Fraud and Abuse Act (`CFAA’), 18 U.S. Code § 1030”, he appealed. U.S. v. Steele, 2014 WL 7331679 (U.S. Court of Appeals for the 4th Circuit 2014). You can read more about
the prosecution in the news story you can find here.
The Court of Appeals begins its analysis of his appeal by
explaining how the case arose:
In 2007, Platinum Solutions, Inc.,
hired Steele as its vice president for business development and backup systems
administrator. His duties gave him access to the company's server, which
allowed him to monitor email accounts and employee passwords. Three years after
Steele joined Platinum, the company was sold to SRA International, Inc. Steele
subsequently resigned and went to work for another company, which -- like
Platinum and SRA -- provided contract IT services to government defense
agencies.
During the next nine months, Steele
continued to log in to SRA's server via a `backdoor’ account he had used while
working for Platinum and SRA, and he proceeded to access and download documents
and emails related to SRA's ongoing contract bids. The FBI later determined
that Steele had accessed the server almost 80,000 times.
A grand jury indicted Steele on two
counts of wire fraud under 18 U.S. Code §§ 1343 and 1349, and fourteen
counts of unauthorized access of a protected computer under the Computer Fraud
and Abuse Act (`CFAA’), 18 U.S. Code § 1030. The district court granted a
judgment of acquittal on the wire fraud charges pursuant to Rule 29 of the Federal Rules of Criminal Procedure, but a jury convicted Steele on all of the
CFAA charges, consisting of two misdemeanor and twelve felony counts. Steele
received a prison sentence totaling 48 months, significantly less than the
recommendations under the U.S. Sentencing Guidelines Manual (`U.S.S.G.’).
In addition, the district court ordered him to pay $50,000 in fines, $1,200 in
fees, and $335,977.68 in restitution.
U.S. v. Steele, supra.
In his appeal, Steele made four arguments, the first of
which was that “the evidence was insufficient to convict him of accessing a
protected computer `without authorization.’” U.S. v. Steele, supra. The court began its analysis of his argument
by explaining that
[t]he CFAA imposes criminal and civil
penalties on individuals who unlawfully access computers. Specifically, §
1030(a)(2)(C), under which Steele was indicted, prohibits accessing a protected
computer `without authorization’ or in `exce[ss of] authorized access.’
Notably, the indictment itself charged Steele with violating only the first
prong of this section.
Steele primarily relies on our opinion
in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S.
Court of Appeals for the 4th Circuit 2012), to argue that because
SRA did not change his access password when he resigned, Steele's
post-employment access, though “ethically dubious” was not “without
authorization” as contemplated by the statute. We cannot agree.
WEC Carolina contributes to
a dialogue among the circuit courts on the reach of § 1030(a)(2). The
broad view holds that when employees access computer information with the
intent to harm their employer, their authorization to access that information
terminates, and they are therefore acting `without authorization' under § 1030(a)(2).
See Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (U.S. Court of Appeals for the 7th Circuit 2006). The narrower construction, adopted
by WEC Carolina, holds that § 1030(a)(2) applies to
employees who unlawfully access a protected computer, but not to
the improper use of information lawfully accessed. See
WEC Carolina, supra. . . .
Importantly, this split focuses on
employees who are authorized to access their employer's computers but use the
information they retrieve for an improper purpose. Steele's case is
distinguishable for one obvious reason: he was not an employee of SRA at the
time the indictment alleges he improperly accessed the company's server.
In WEC Carolina, authorization did not hinge on employment status
because that issue was not in dispute.
Here, by contrast, the fact that Steele
no longer worked for SRA when he accessed its server logically suggests that
the authorization he enjoyed during his employment no longer existed. See,
e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009) (`There is no dispute that if Brekka
accessed LVRC's information . . . after
he left the company . . . , Brekka would have accessed a protected computer
“without authorization” for purposes of the CFAA.’) Restatement (Third) of Agency § 3.09 (2006) (Actual authority terminates “upon the
occurrence of circumstances on the basis of which the agent should reasonably
conclude” that authority is revoked).
Common sense aside, the evidence
provides ample support for the jury's verdict. SRA took steps to revoke
Steele's access to company information, including collecting Steele's
company-issued laptop, denying him physical access to the company's offices,
and generally terminating his main system access. And Steele himself recognized
that his resignation effectively terminated any authority he had to access
SRA's server, promising in his resignation letter that he would not attempt to
access the system thereafter. Just because SRA neglected to change a password
on Steele's backdoor account does not mean SRA intended for Steele to have
continued access to its information.
Because Steele clearly acted `without
authorization’ under the plain meaning of § 1030(a)(2), the evidence is
sufficient to affirm his convictions.
U.S. v. Steele, supra.
Next, the court addressed Steele’s second argument, which
arose from the fact that
[t]he government charged Steele with `intentionally
accessing a computer without authorization.’ The indictment did not, however,
purport to charge Steele under the alternative crime in § 1030(a)(2):
exceeding authorized access. Nevertheless, when instructing the jury, the
district court twice stated that Steele had been charged with `intentionally
accessing a computer without authorization and in excess of
authorization. . . .’ Joint Appendix 781–83 (emphasis added). Steele urges that
these erroneous instructions constituted a constructive amendment of the
indictment requiring reversal.
U.S. v. Steele, supra (emphasis in the original).
As a legal site explains, a constructive amendment of an
indictment occurs when
`the terms of the indictment are in
effect altered by the presentation of evidence and jury instructions which so
modify essential elements of an offense charged that there is a substantial
likelihood that the defendant may have been convicted of an offense other than that
charged in the indictment.’ U.S. v.
Hemphill, 76 Fed. Appx. 6 (U.S. Court of Appeals for the 6th Circuit Ohio
2003).
The Court of Appeals did not accept Steel’s constructive
amendment arguing, noting that “when instructing the jury, the district court [judge]
twice stated that Steele had been charged with `intentionally accessing a
computer without authorization and in excess of authorization.
. . .’, which was the basis of Steel’s argument. U.S. v. Steele, supra.
It also pointed out that “[n]owhere did the court . . . expressly
tell the jury that it could find Steele guilty if it found he had acted “in
excess of his authorization.” U.S. v.
Steele, supra. And
it explained that the U.S. District Court Judge who presided at the trial also read the
indictment to the jury,
without the `exceeds authorization’ language. In addition, the court's
recitation of the elements included only the charge of accessing a computer
`without authorization.’ Moreover, the court told the jury that it was to consider
the instructions `as a whole’ in reaching its decision and that Steele was not
on trial for any act not charged in the indictment. Finally, the jury received
a copy of the indictment and the verdict forms based on the indictment.
U.S. v. Steele, supra. The Court of Appeals therefore
held that the District Court Judge’s “two isolated references to accessing a
computer “in excess” of authorization did not constitute a constructive
amendment.” U.S. v. Steele, supra.
Next, Steele argued that his felony convictions under §
1030(c)(2)(B)(iii) were
constitutionally flawed. Typically,
accessing a protected computer without authorization is a misdemeanor offense
under the CFAA. The statute does, however, provide three ways through which the
offense may be enhanced to a felony: (1) committing the offense for `commercial
advantage or private financial gain’; (2) committing the offense `in
furtherance of any criminal or tortious act in violation of’ state or federal
law; or (3) if `the value of the information obtained exceeds $5,000.’ 18
U.S.C. § 1030(c)(2)(B). Accordingly, the indictment charged Steele not only
with accessing a protected computer without authorization but also with doing
so on the basis of these three felony enhancements, including in furtherance of
Virginia's grand larceny statute, Va. Code § 18.2–95.
U.S. v. Steele, supra.
The Court of Appeals explained that Steele claimed that the
Virginia statute and the
CFAA provision are proved using the
same criminal conduct. According to Steele, because the two offenses merge, the
government was barred by double jeopardy principles from enhancing what would
have been a misdemeanor into a felony conviction. . . .
U.S. v. Steele, supra.
The court rejected this argument, noting that FBI Special
Agent Etienne, who
investigated Steele's conduct,
testified that the FBI recovered evidence that Steele not only accessed emails
and bid documents but actively downloaded them and saved them to multiple hard
drives connected to his personal computer. . . . In addition, the government
provided the jury with a summary chart of the charges against Steele, listing
specific documents supporting those charges, the value associated with those
documents, and the location where they were found on Steele's computer hard
drives. . . . Through this evidence, the government was able to show that
Steele's conduct included not simply reading or observing protected
information but also downloading (`taking’)
that information.
In sum, because the government used
different conduct to prove the two offenses, Steele's felony convictions for
violating the CFAA do not raise . . . double jeopardy concerns. . . .
U.S. v. Steele, supra. (emphasis in the original).
Finally, the court rejected Steele’s argument that the
prosecution erred “in calculating both his sentence under the [U.S. Sentencing Guidelines] and the amount of restitution required under the Mandatory VictimsRestitution Act of 1996 (“MVRA”), 18 U.S. Code § 3663A.” U.S. v. Steele, supra. It began by explaining that the District Court Judge
accepted the recommendation of the
pre-sentence investigation report that Steele's base offense level be increased
by 18 points under [U.S. Sentencing Guideline] § 2B1.1(b)(1) because his
theft caused more than $2,500,000 in loss. The court arrived at the loss
estimate ($3,048,769.55) by looking at the costs incurred by SRA to prepare the
documents accessed by Steele relating to specific government contracts for which
his new company competed with his old. Steele argues that, in increasing his
offense level to account for intended loss, the government failed to show [he]
had the subjective intent to cause the amount of loss calculated.
U.S. v. Steele, supra.
Once again, the Court of Appeals did not agree, explaining,
initially, that its precedent
is clear that when
calculating loss under § 2B1.1(b)(1), intended loss (rather than actual
loss) is the appropriate measure. See
U.S. v. Miller, 316 F.3d 495 (4th Circuit 2003). Although Steele
testified that he did not have the subjective intent to cause his former
employer any loss, the district court did not accept his explanation. [Joint
Appendix] 1101 (Steele's explanation was `farfetched’); [Joint Appendix] 1118 (`Well,
I just don't buy it’); [Joint Appendix] 1120 (`[Y]ou say, “I just had [this
information] on my computer. I did nothing with it.” I don't buy that either.’).
Because the court accounted for Steele's subjective intent when determining his
sentence, its conclusion was not in error. . . .
We are also satisfied that the district
court imposed a reasonable amount in restitution. Under the MVRA, a court must
award restitution where the defendant is convicted of an offense against
property and the victim suffers pecuniary loss. 18 U.S. Code § 3663A(c)(1).
Restitution must include both the victim's `expenses incurred during
participation in the investigation or prosecution of the offense’ and the value
of any stolen property (if return of the property `is impossible,
impracticable, or inadequate’).§ 3663A(b)(1)(B), (b)(4).
The district court awarded $228,400 in
restitution for the amount spent by SRA to assist in the investigation and
prosecution of the offenses. Further, the court awarded $91,462.80, as a fractional
component of the development costs of the stolen proprietary information.
Finally, the court awarded $16,114.88 in legal fees, for a total restitution
award of $335,977.68.
U.S. v. Steele, supra.
The court went on to find that the $91,462.80 actual loss amount reflected the
district court's
decision to award SRA only 3% of its estimated cost of preparing the bid
documents that Steele accessed. The MVRA requires restitution to be based on
the victim's total actual loss. . . . While it is unclear why the
district court chose to award SRA only a fraction of its total loss, any error
in the court's calculation inured in Steele's favor. Accordingly, we decline to
disturb the district court's restitution award.
U.S. v. Steele, supra.
It therefore affirmed Steele’s conviction, sentence and restitution
award. U.S. v. Steele, supra.
No comments:
Post a Comment