Monday, January 19, 2015

The (Former) Systems Administrator, Proprietary Information and the Computer Fraud and Abuse Act

After a jury convicted Robert Steele on “fourteen counts of unauthorized access of a protected computer under the Computer Fraud and Abuse Act (`CFAA’), 18 U.S. Code § 1030”, he appealed.  U.S. v. Steele, 2014 WL 7331679 (U.S. Court of Appeals for the 4th Circuit 2014).  You can read more about the prosecution in the news story you can find here.
The Court of Appeals begins its analysis of his appeal by explaining how the case arose:
In 2007, Platinum Solutions, Inc., hired Steele as its vice president for business development and backup systems administrator. His duties gave him access to the company's server, which allowed him to monitor email accounts and employee passwords. Three years after Steele joined Platinum, the company was sold to SRA International, Inc. Steele subsequently resigned and went to work for another company, which -- like Platinum and SRA -- provided contract IT services to government defense agencies.

During the next nine months, Steele continued to log in to SRA's server via a `backdoor’ account he had used while working for Platinum and SRA, and he proceeded to access and download documents and emails related to SRA's ongoing contract bids. The FBI later determined that Steele had accessed the server almost 80,000 times.

A grand jury indicted Steele on two counts of wire fraud under 18 U.S. Code §§ 1343 and 1349, and fourteen counts of unauthorized access of a protected computer under the Computer Fraud and Abuse Act (`CFAA’), 18 U.S. Code § 1030.  The district court granted a judgment of acquittal on the wire fraud charges pursuant to Rule 29 of the Federal Rules of Criminal Procedure, but a jury convicted Steele on all of the CFAA charges, consisting of two misdemeanor and twelve felony counts. Steele received a prison sentence totaling 48 months, significantly less than the recommendations under the U.S. Sentencing Guidelines Manual (`U.S.S.G.’). In addition, the district court ordered him to pay $50,000 in fines, $1,200 in fees, and $335,977.68 in restitution.
U.S. v. Steele, supra.
In his appeal, Steele made four arguments, the first of which was that “the evidence was insufficient to convict him of accessing a protected computer `without authorization.’” U.S. v. Steele, supra.  The court began its analysis of his argument by explaining that
[t]he CFAA imposes criminal and civil penalties on individuals who unlawfully access computers. Specifically, § 1030(a)(2)(C), under which Steele was indicted, prohibits accessing a protected computer `without authorization’ or in `exce[ss of] authorized access.’ Notably, the indictment itself charged Steele with violating only the first prong of this section.

Steele primarily relies on our opinion in WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (U.S. Court of Appeals for the 4th Circuit 2012), to argue that because SRA did not change his access password when he resigned, Steele's post-employment access, though “ethically dubious” was not “without authorization” as contemplated by the statute. We cannot agree.

WEC Carolina contributes to a dialogue among the circuit courts on the reach of § 1030(a)(2). The broad view holds that when employees access computer information with the intent to harm their employer, their authorization to access that information terminates, and they are therefore acting `without authorization' under § 1030(a)(2). See Int'l Airport Ctrs., L.L.C. v. Citrin, 440 F.3d 418 (U.S. Court of Appeals for the 7th Circuit 2006). The narrower construction, adopted by WEC Carolina, holds that § 1030(a)(2) applies to employees who unlawfully access a protected computer, but not to the improper use of information lawfully accessed. See WEC Carolina, supra. . . .  

Importantly, this split focuses on employees who are authorized to access their employer's computers but use the information they retrieve for an improper purpose. Steele's case is distinguishable for one obvious reason: he was not an employee of SRA at the time the indictment alleges he improperly accessed the company's server. In WEC Carolina, authorization did not hinge on employment status because that issue was not in dispute.

Here, by contrast, the fact that Steele no longer worked for SRA when he accessed its server logically suggests that the authorization he enjoyed during his employment no longer existed. See, e.g., LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (U.S. Court of Appeals for the 9th Circuit 2009) (`There is no dispute that if Brekka accessed LVRC's information . . .  after he left the company . . . , Brekka would have accessed a protected computer “without authorization” for purposes of the CFAA.’) Restatement (Third) of Agency § 3.09 (2006) (Actual authority terminates “upon the occurrence of circumstances on the basis of which the agent should reasonably conclude” that authority is revoked).

Common sense aside, the evidence provides ample support for the jury's verdict. SRA took steps to revoke Steele's access to company information, including collecting Steele's company-issued laptop, denying him physical access to the company's offices, and generally terminating his main system access. And Steele himself recognized that his resignation effectively terminated any authority he had to access SRA's server, promising in his resignation letter that he would not attempt to access the system thereafter. Just because SRA neglected to change a password on Steele's backdoor account does not mean SRA intended for Steele to have continued access to its information.

Because Steele clearly acted `without authorization’ under the plain meaning of § 1030(a)(2), the evidence is sufficient to affirm his convictions.
U.S. v. Steele, supra.
Next, the court addressed Steele’s second argument, which arose from the fact that
[t]he government charged Steele with `intentionally accessing a computer without authorization.’ The indictment did not, however, purport to charge Steele under the alternative crime in § 1030(a)(2): exceeding authorized access. Nevertheless, when instructing the jury, the district court twice stated that Steele had been charged with `intentionally accessing a computer without authorization and in excess of authorization. . . .’ Joint Appendix 781–83 (emphasis added). Steele urges that these erroneous instructions constituted a constructive amendment of the indictment requiring reversal. 
U.S. v. Steele, supra (emphasis in the original).
As a legal site explains, a constructive amendment of an indictment occurs when
`the terms of the indictment are in effect altered by the presentation of evidence and jury instructions which so modify essential elements of an offense charged that there is a substantial likelihood that the defendant may have been convicted of an offense other than that charged in the indictment.’ U.S. v. Hemphill, 76 Fed. Appx. 6 (U.S. Court of Appeals for the 6th Circuit Ohio 2003).
The Court of Appeals did not accept Steel’s constructive amendment arguing, noting that “when instructing the jury, the district court [judge] twice stated that Steele had been charged with `intentionally accessing a computer without authorization and in excess of authorization. . . .’, which was the basis of Steel’s argument. U.S. v. Steele, supra.
It also pointed out that “[n]owhere did the court . . . expressly tell the jury that it could find Steele guilty if it found he had acted “in excess of his authorization.” U.S. v. Steele, supra.  And it explained that the U.S. District Court Judge who presided at the trial also read the
indictment to the jury, without the `exceeds authorization’ language. In addition, the court's recitation of the elements included only the charge of accessing a computer `without authorization.’ Moreover, the court told the jury that it was to consider the instructions `as a whole’ in reaching its decision and that Steele was not on trial for any act not charged in the indictment. Finally, the jury received a copy of the indictment and the verdict forms based on the indictment.
U.S. v. Steele, supra. The Court of Appeals therefore held that the District Court Judge’s “two isolated references to accessing a computer “in excess” of authorization did not constitute a constructive amendment.”  U.S. v. Steele, supra.
Next, Steele argued that his felony convictions under § 1030(c)(2)(B)(iii) were
constitutionally flawed. Typically, accessing a protected computer without authorization is a misdemeanor offense under the CFAA. The statute does, however, provide three ways through which the offense may be enhanced to a felony: (1) committing the offense for `commercial advantage or private financial gain’; (2) committing the offense `in furtherance of any criminal or tortious act in violation of’ state or federal law; or (3) if `the value of the information obtained exceeds $5,000.’ 18 U.S.C. § 1030(c)(2)(B). Accordingly, the indictment charged Steele not only with accessing a protected computer without authorization but also with doing so on the basis of these three felony enhancements, including in furtherance of Virginia's grand larceny statute, Va. Code § 18.2–95.
U.S. v. Steele, supra.
The Court of Appeals explained that Steele claimed that the Virginia statute and the
CFAA provision are proved using the same criminal conduct. According to Steele, because the two offenses merge, the government was barred by double jeopardy principles from enhancing what would have been a misdemeanor into a felony conviction. . . .
U.S. v. Steele, supra.  
The court rejected this argument, noting that FBI Special Agent Etienne, who
investigated Steele's conduct, testified that the FBI recovered evidence that Steele not only accessed emails and bid documents but actively downloaded them and saved them to multiple hard drives connected to his personal computer. . . . In addition, the government provided the jury with a summary chart of the charges against Steele, listing specific documents supporting those charges, the value associated with those documents, and the location where they were found on Steele's computer hard drives. . . . Through this evidence, the government was able to show that Steele's conduct included not simply reading or observing protected information but also downloading (`taking’) that information.

In sum, because the government used different conduct to prove the two offenses, Steele's felony convictions for violating the CFAA do not raise . . . double jeopardy concerns. . . .
U.S. v. Steele, supra. (emphasis in the original).
Finally, the court rejected Steele’s argument that the prosecution erred “in calculating both his sentence under the [U.S. Sentencing Guidelines] and the amount of restitution required under the Mandatory VictimsRestitution Act of 1996 (“MVRA”), 18 U.S. Code § 3663A.”  U.S. v. Steele, supra. It began by explaining that the District Court Judge
accepted the recommendation of the pre-sentence investigation report that Steele's base offense level be increased by 18 points under [U.S. Sentencing Guideline] § 2B1.1(b)(1) because his theft caused more than $2,500,000 in loss. The court arrived at the loss estimate ($3,048,769.55) by looking at the costs incurred by SRA to prepare the documents accessed by Steele relating to specific government contracts for which his new company competed with his old. Steele argues that, in increasing his offense level to account for intended loss, the government failed to show [he] had the subjective intent to cause the amount of loss calculated.
U.S. v. Steele, supra.
Once again, the Court of Appeals did not agree, explaining, initially, that its precedent
is clear that when calculating loss under § 2B1.1(b)(1), intended loss (rather than actual loss) is the appropriate measure. See U.S. v. Miller, 316 F.3d 495 (4th Circuit 2003). Although Steele testified that he did not have the subjective intent to cause his former employer any loss, the district court did not accept his explanation. [Joint Appendix] 1101 (Steele's explanation was `farfetched’); [Joint Appendix] 1118 (`Well, I just don't buy it’); [Joint Appendix] 1120 (`[Y]ou say, “I just had [this information] on my computer. I did nothing with it.” I don't buy that either.’). Because the court accounted for Steele's subjective intent when determining his sentence, its conclusion was not in error. . . .

We are also satisfied that the district court imposed a reasonable amount in restitution. Under the MVRA, a court must award restitution where the defendant is convicted of an offense against property and the victim suffers pecuniary loss. 18 U.S. Code § 3663A(c)(1). Restitution must include both the victim's `expenses incurred during participation in the investigation or prosecution of the offense’ and the value of any stolen property (if return of the property `is impossible, impracticable, or inadequate’).§ 3663A(b)(1)(B), (b)(4).

The district court awarded $228,400 in restitution for the amount spent by SRA to assist in the investigation and prosecution of the offenses. Further, the court awarded $91,462.80, as a fractional component of the development costs of the stolen proprietary information. Finally, the court awarded $16,114.88 in legal fees, for a total restitution award of $335,977.68.
U.S. v. Steele, supra.
The court went on to find that the $91,462.80 actual loss amount reflected the 
district court's decision to award SRA only 3% of its estimated cost of preparing the bid documents that Steele accessed. The MVRA requires restitution to be based on the victim's total actual loss. . . . While it is unclear why the district court chose to award SRA only a fraction of its total loss, any error in the court's calculation inured in Steele's favor. Accordingly, we decline to disturb the district court's restitution award.

U.S. v. Steele, supra.  It therefore affirmed Steele’s conviction, sentence and restitution award.  U.S. v. Steele, supra.

No comments: