United States v. Phillips

United States Court of Appeals
Fifth Circuit
F I L E D
IN THE UNITED STATES COURT OF APPEALS
FOR THE FIFTH CIRCUIT January 24, 2007

Charles R. Fulbruge III
No. 05-51271 Clerk

UNITED STATES OF AMERICA,

Plaintiff-Appellee,

versus

CHRISTOPHER ANDREW PHILLIPS,

Defendant-Appellant.

Appeal from the United States District Court
for the Western District of Texas

Before JONES, Chief Judge, and SMITH and STEWART, Circuit Judges.

EDITH H. JONES, Chief Judge:

Christopher Andrew Phillips (“Phillips”) appeals his

conviction for intentionally accessing a protected computer without

authorization and recklessly causing damage in excess of $5,000,

pursuant to the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C.

§§ 1030(a)(5)(A)(ii) and (B)(i). Phillips alleges that (1) insuf-

ficient evidence was presented at trial to support his conviction

under § 1030(a)(5)(A)(ii); (2) the district court’s jury charge

constructively amended the indictment; (3) the district court’s

failure to include a lesser-included offense instruction in the

jury charge was error; and (4) the district court’s award of over

$170,000 in restitution under 18 U.S.C. § 3663A was erroneous.

Finding no reversible error, we AFFIRM.
 I. BACKGROUND

Phillips entered the University of Texas at Austin (“UT”)

in 2001 and was admitted to the Department of Computer Sciences in

2003. Like all incoming UT students, Phillips signed UT’s

“acceptable use” computer policy, in which he agreed not to perform

port scans using his university computer account.1 Nonetheless,

only a few weeks after matriculating, Phillips began using various

programs designed to scan computer networks and steal encrypted

data and passwords. He succeeded in infiltrating hundreds of

computers, including machines belonging to other UT students,

private businesses, U.S. Government agencies, and the British Armed

Services webserver. In a matter of months, Phillips amassed a

veritable informational goldmine by stealing and cataloguing a wide

variety of personal and proprietary data, such as credit card

numbers, bank account information, student financial aid

statements, birth records, passwords, and Social Security numbers.

The scans, however, were soon discovered by UT’s

Information Security Office (“ISO”), which informed Phillips on

1
Port scanning is a technique used by computer hackers by
which an individual sends requests via a worm or other program to
various networked computer ports in an effort to ascertain
whether particular machines have vulnerabilities that would leave
them susceptible to external intrusion. Often used as an initial
step in launching an attack on another computer or transmitting a
virus, port scanning is a relatively unsophisticated, but highly
effective, reconnaissance method, likened at trial by UT’s
information technology chief as the electronic equivalent of
“rattling doorknobs” to see if easy access can be gained to a
room.

2
three separate occasions that his computer had been detected

portscanning hundreds of thousands of external computers for

vulnerabilities. Despite several instructions to stop, Phillips

continued to scan and infiltrate computers within and without the

UT system, daily adding to his database of stolen information.

At around the time ISO issued its first warning in early

2002, Phillips designed a computer program expressly for the

purpose of hacking into the UT system via a portal known as the

“TXClass Learning Central: A Complete Training Resource for UT

Faculty and Staff.” TXClass was a “secure” server operated by UT

and used by faculty and staff as a resource for enrollment in

professional education courses. Authorized users gained access to

their TXClass accounts by typing their Social Security numbers in

a field on the TXClass website’s log-on page. Phillips exploited

the vulnerability inherent in this log-on protocol by transmitting

a “brute-force attack” program,2 which automatically transmitted to

the website as many as six Social Security numbers per second, at

least some of which would correspond to those of authorized TXClass

users.

Initially, Phillips selected ranges of Social Security

numbers for individuals born in Texas, but he refined the brute-

force attack to include only numbers assigned to the ten most

2
“Brute-force attack” is term of art in computer science
used to describe a program designed to decode encrypted data by
generating a large number of passwords.

3
populous Texas counties. When the program hit a valid Social

Security number and obtained access to TXClass, it automatically

extracted personal information corresponding to that number from

the TXClass database and, in effect, provided Phillips a “back

door” into UT’s main server and unified database. Over a fourteen-

month period, Phillips thus gained access to a mother lode of data

about more than 45,000 current and prospective students, donors,

and alumni.

Phillips’s actions hurt the UT computer system. The

brute-force attack program proved so invasive — increasing the

usual monthly number of unique requests received by TXClass from

approximately 20,000 to as many as 1,200,000 — that it caused the

UT computer system to crash several times in early 2003. Hundreds

of UT web applications became temporarily inaccessible, including

the university’s online library, payroll, accounting, admissions,

and medical records. UT spent over $122,000 to assess the damage

and $60,000 to notify victims that their personal information and

Social Security numbers had been illicitly obtained.

After discovering the incursions, UT contacted the Secret

Service, and the investigation led to Phillips. Phillips admitted

that he designed the brute-force attack program to obtain data

about individuals from the UT system, but he disavowed that he

intended to use or sell the information.

Phillips was indicted and convicted after a jury trial on

one count of computer fraud pursuant to 18 U.S.C. § 1030(a)(5)

4
(A)(ii) and (B)(i), and one count of possession of an

identification document containing stolen Social Security numbers

pursuant to 18 U.S.C. § 1028(a)(6). Phillips timely filed a motion

for judgment of acquittal challenging, unsuccessfully, the

sufficiency of the evidence regarding the loss amount used to

support the computer fraud conviction, and asserting, correctly,

that his conviction under § 1028(a)(6) violated the Ex Post Facto

Clause.3 He was sentenced to five years’ probation, five hundred

hours of community service, and restitution of $170,056. Phillips

appealed.

II. DISCUSSION

A. Sufficiency of the Evidence

Phillips asserts that the Government failed to produce

sufficient evidence that he “intentionally access[ed] a protected

computer without authorization” under § 1030(a)(5)(A)(ii).

Although Phillips timely filed a motion for judgment of

acquittal, see FED. R. CRIM. P. 29, the motion raised only the narrow

issue whether the loss or damage caused by his online exploits

exceeded $5,000.00. See § 1030(a)(5)(B)(i). Both the Government’s

opposition memorandum and the district court’s ruling on the motion

3
Section 1023(a)(6) was amended on April 30, 2003, by adding
the phrase “knowingly possesses an authentication feature of the
United States which is stolen.” Because the last act Phillips
committed that would qualify for punishment under this provision
occurred on March 2, 2003, the district court correctly dismissed
the conviction under this count as violative of the Ex Post Facto
clause, U.S. CONST. art. I, § 9.

5
addressed this one issue. Accordingly, “[w]here, as here, a

defendant asserts specific grounds for a specific element of a

specific count for a Rule 29 motion, he waives all others for that

specific count.” United States v. Herrera, 313 F.3d 882, 884 (5th

Cir. 2002) (en banc), cert. denied, 537 U.S. 1242, 123 S. Ct. 1375

(2003) (emphasis in original). We thus review his newly raised

claim that there was insufficient evidence of the statutorily

required mens rea under § 1030(a)(5)(A)(ii) only for a “manifest

miscarriage of justice.” United States v. Green, 293 F.3d 886, 895

(5th Cir. 2002) (internal quotation marks omitted). Under this

exacting standard of review, a claim of evidentiary insufficiency

will be rejected unless “the record is devoid of evidence pointing

to guilt” or if the evidence is “so tenuous that a conviction is

shocking.” United States v. Avants, 367 F.3d 433, 449 (5th Cir.

2004).

Phillips’s insufficiency argument takes two parts: that

the Government failed to prove (1) he gained access to the TXClass

website without authorization and (2) he did so intentionally.

With regard to his authorization, the CFAA does not

define the term, but it does clearly differentiate between

unauthorized users and those who “exceed[] authorized access.” See

§ 1030(e)(6) (defining “exceeding authorized access” as “access-

[ing] a computer with authorization and . . . us[ing] such access

to obtain or alter information in the computer that the accesser is

not entitled so to obtain or alter . . .”); see also §§ 1030(a)(1),

6
(a)(2), (a)(4). Several subsections of the CFAA apply exclusively

to users who lack access authorization altogether. See, e.g.,

§§ 1030(a)(3), (5)(A)(i), (5)(A)(ii), (5)(A)(iii). In conditioning

the nature of the intrusion in part on the level of authorization

a computer user possesses, Congress distinguished between “in-

siders, who are authorized to access a computer,” and “outside

hackers who break into a computer.” See S. REP. NO. 104-357, at 11

(1996); see also S. REP. NO. 99-432, at 10, as reprinted in 1986

U.S.C.C.A.N. 2479, at 2488 (1986) (stating that §§ 1030(a)(3) and

(a)(5) “will be aimed at ‘outsiders’”).

Courts have therefore typically analyzed the scope of a

user’s authorization to access a protected computer on the basis of

the expected norms of intended use or the nature of the

relationship established between the computer owner and the user.

Applying such an intended-use analysis, in United States v. Morris,

928 F.2d 504 (2d Cir. 1991), a case involving an invasive procedure

that prefigured modern portscanning, the Second Circuit held that

transmission of an internet worm designed “to demonstrate the

inadequacies of current security measures on computer networks by

exploiting . . . security defects” was sufficient to permit a jury

to find unauthorized access within the meaning of § 1030(a)(5)(A).

Morris, 928 F.2d at 505. The Morris court determined that conduct,

like “password guessing” or finding “holes in . . . programs,” that

uses computer systems not “in any way related to their intended

function” amounts to obtaining unauthorized access. Id. at 510;

7
see also Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (9th

Cir. 2004)(internet site administrator’s misappropriation of login

names and passwords to obtain access to competitor’s website

violated CFAA); Theofel v. Farey-Jones, 359 F.3d 1066, 1074

(9th Cir.), cert. denied, 543 U.S. 813, 125 S. Ct. 48 (2004)(use of

an authorized third-party’s password by an outside hacker to gain

access to a mail server fell within “the paradigm of what

[Congress] sought to prohibit [under the Stored Communications

Act]”); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582

n.10 (1st Cir. 2001)(mentioning in dicta the district court’s

observation of a “default rule” that conduct is unauthorized for

§ 1030 purposes “if it is not in line with reasonable expectations

of the website owner and its users”)(internal quotation marks

omitted).

Phillips’s brute-force attack program was not an intended

use of the UT network within the understanding of any reasonable

computer user and constitutes a method of obtaining unauthorized

access to computerized data that he was not permitted to view or

use. During cross-examination, Phillips admitted that TXClass’s

normal hourly hit volume did not exceed a few hundred requests, but

that his brute-force attack created as many as 40,000. He also

monitored the UT system during the multiple crashes his program

caused, and backed up the numerical ranges of the Social Security

numbers after the crashes so as not to omit any potential matches.

Phillips intentionally and meticulously executed both his intrusion

8
into TXClass and the extraction of a sizable quantity of

confidential personal data. There was no lack of evidence to find

him guilty of intentional unauthorized access.

Phillips makes a subsidiary argument that because the

TXClass website was a public application, he, like any internet

user, was a de facto authorized user. In essence, Phillips

contends that his theft of other people’s data from TXClass merely

exceeded the preexisting generic authorization that he maintained

as a user of the World Wide Web, and he cannot be considered an

unauthorized user under § 1030(a)(5)(A)(ii).

This argument misconstrues the nature of obtaining

“access” to an internet application and the CFAA’s use of the term

“authorization.” While it is true that any internet user can

insert the appropriate URL into a web browser and thereby view the

“TXClass Administrative Training System” log-in web page, a user

cannot gain access to the TXClass application itself without a

valid Social Security number password to which UT has affirmatively

granted authorization.4 Neither Phillips, nor members of the

4
Phillips’s contention that an individual’s ability to view
TXClass’s log-in webpage amounts to a general grant of authorized
access to the public-at-large is unsupported by various judicial
interpretations of what constitutes obtaining access to a
protected computer. See, e.g., State v. Allen, 917 P.2d 848
(Kan. 1996)(under Kansas computer crime statute, until a computer
user proceeds beyond introductory banners and log-in screens by
use of a password, he has not accessed the program); State v.
Riley, 846 P.2d 1365 (Wash. 1993)(en banc)(attempted entry into
computer using randomly generated passwords is not access until a
successful password is found allowing entry); see also Role
Models, Inc. v. Jones, 305 F. Supp. 2d 564 (D. Md. 2004)(mere

9
public, obtain such authorization from UT merely by viewing a

log-in page, or clicking a hypertext link. Instead, courts have

recognized that authorized access typically arises only out of a

contractual or agency relationship.5 While Phillips was authorized

to use his UT email account and engage in other activities defined

by UT’s acceptable computer use policy, he was never authorized to

access TXClass. The method of access he used makes this fact even

more plain. In short, the government produced sufficient evidence

at trial to support Phillips’s conviction under

§ 1030(a)(5)(A)(ii).

B. Constructive Amendment of the Indictment

For the first time on appeal, Phillips alleges as error

that the district court constructively amended his indictment in

receipt of information from a protected computer is not
equivalent to obtaining access under CFAA).
5
See, e.g., Int’l Airport Ctrs. LLC v. Citrin, 440 F.3d 418
(7th Cir. 2006)(authorized access to company computer terminated
when employee violated employment contract); EF Cultural Travel
BV v. Explorica, Inc., 274 F.3d 577 (1st Cir.
2001)(confidentiality agreement defined authorized access to
travel company’s computerized pricing information); United States
v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)(employer assignment
of a confidential password created authorization); Pac. Aerospace
& Elecs., Inc., 295 F. Supp. 2d 1188 (E.D. Wash. 2003)(former
employees’ unauthorized access in violation of confidentiality
and employment agreements merited imposition of preliminary
injunction); Shurgard Storage Ctrs., Inc. v. Safeguard Self-
Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000)(employees
not authorized to obtain proprietary information from former
employer because agency relationship had terminated);
YourNetDating, Inc. v. Mitchell, 88 F. Supp. 2d 870 (N.D. Ill.
2000)(programmer’s hacking of former employer’s dating service
website that redirected users to a pornographic website was
unauthorized access and merited temporary restraining order).

10
its jury instructions. The district court charged the jury based

on the Government’s proposed instruction and a modified version of

the Eleventh Circuit’s Criminal Pattern Jury Instruction 42.3 that

adopts language from §§ 1030(a)(5)(A)(i) and (B)(i). Subsec-

tion (i) punishes an individual who “knowingly causes the trans-

mission of a program . . . to a protected computer.” Phillips was

indicted, however, not for knowingly transmitting a program under

§ 1030(a)(5)(A)(i), but for intentionally accessing a protected

computer under § 1030(a)(5)(A)(ii). As Phillips did not object to

the instruction at trial, we review this disparity between the

indictment and jury charge for plain error. United States v.

Bieganowski, 313 F.3d 264, 287 (5th Cir. 2002)(constructive

amendment claims raised for the first time on appeal reviewed for

plain error).

Phillips asserts that the deviation between the terms of

the charged offense and the language of the jury instruction was

plain and adversely affected his substantial rights in two ways.

First, the jury instruction impermissibly reduced the Government’s

burden of proof by not requiring the jury to find that he

intentionally accessed TXClass without authorization, but instead

only that he transmitted a program without authorization. Second,

Phillips claims that while § 1030(a)(5)(A)(ii) requires the

Government to prove that he “intentionally” accessed a protected

computer without authorization, the instruction required the jury

to find only that Phillips “knowingly” caused the transmission of

11
a program, not that he knowingly did so without authorization. Put

otherwise, Phillips argues that since § 1030(a)(5)(A)(ii)’s

scienter element applies to both the phrase “causes the

transmission” and “without authorization,” the district court erred

in submitting an instruction in which the scienter element applied

only to the act of transmitting a program.

Constructive amendment of an indictment occurs when the

trial court “through its instructions and facts it permits in

evidence, allows proof of an essential element of the crime on an

alternative basis provided by the statute but not charged in the

indictment.” United States v. Slovacek, 867 F.2d 842, 847 (5th

Cir.), cert. denied, 490 U.S. 1094, 109 S. Ct. 2441 (1989)(citing

Stirone v. United States, 361 U.S. 212, 215-19, 80 S. Ct. 270, 272-

74 (1960)). In evaluating whether constructive amendment has

occurred, we consider “whether the jury instruction, taken as a

whole, is a correct statement of the law and whether it clearly

instructs jurors as to the principles of law applicable to the

factual issues confronting them.” United States v. Guidry,

406 F.3d 314, 321 (5th Cir. 2005) (internal quotation marks

omitted).

With respect to Phillips’s first argument, the district

court’s instruction plainly modified an essential element of the

charged offense by supporting the act of accessing a protected

computer under subsection (ii) on the basis of transmitting a

program under subsection (i). See, e.g., United States v. Reyes,

12
102 F.3d 1361 (5th Cir. 1996) (jury instruction permitting

conviction based on proof of conspiracy to possess with the intent

to distribute marijuana constructively amended indictment that

charged not conspiracy, but the substantive offense itself). This

was a classic constructive amendment. Why the Government

overlooked the inconsistency between the statutory provision cited

in the indictment and the provision described in the jury charge is

a mystery.

We nonetheless find no reversible plain error with

respect to the transmission/access discrepancy. Phillips gained

access to TXClass by the act of transmitting the brute-force attack

program. The factual predicates for Phillips’s particular

conviction under the jury charge and the indictment — knowingly

transmitting a program and intentionally accessing a protected

computer — are identical. There is no conceivable basis upon which

the jury could have concluded that Phillips transmitted the program

and obtained information from UT’s database without having also

accessed a protected computer. The instruction on this element of

the charged offense, although incorrect, was immaterial.

Phillips’s second argument is that the indictment charged

him with “intentionally access[ing] a protected computer without

authorization,” while the jury instruction only required that he

“knowingly” transmitted the program.

We agree that the plain language of the statute, tracked

in the indictment, indicates that the actus reus was the

13
intentional unauthorized access of a protected computer. In fact,

the 1986 amendment to § 1030(a)(5) changed the scienter requirement

from “knowingly” to “intentionally” because of Congress’s concern

that the “knowingly” standard “might be inappropriate for cases

involving computer technology.”6 See S. REP. NO. 99-432, at 5, as

reprinted in 1986 U.S.C.C.A.N. 2479, 2483 (1986); Morris, 928 F.2d

at 507.7

The district court instructed the jury that to convict,

it must find that Phillips “knowingly caused the transmission of a

program” and that he “so acted without the authorization” of

appropriate persons or entities. This instruction, as Phillips

contends, does not fully convey that the jury must find that

Phillips intentionally acted without authorization. However, as

discussed above in the context of his sufficiency claim, the

evidence leaves no doubt that Phillips knew he was unauthorized to

transmit an invasive computer program designed to gain access to

the TXClass system and to steal thousands of Social Security

numbers. It beggars belief that, having transmitted such a

6
Discussion of the changes to the scienter elements of
§ 1030 in the Senate report focused on § 1030(a)(2), but the same
alteration of “knowingly” to “intentionally” was made to
§ 1030(a)(5)(A)(ii) and the report explicitly states that “[t]he
‘intentional’ standard [in new subsection § 1030(a)(5)] is the
same as that employed in Section 2(a)(1) and 2(b)(1) of the
bill.” S. REP. NO. 99-432, at 10 (1986), as reprinted in 1986
U.S.C.C.A.N. 2479, 2488 (1986).
7
Compare §§ 1030(a)(5)(A)(i) and (ii), with § 1030(a)(1),
which criminalizes the act of knowingly “exceed[ing] authorized
access,” without a requirement of intentional conduct.

14
program, Phillips did not intend to access a protected computer and

that he access be unauthorized.8 To the extent the jury

instructions were wrong, the errors did not affect Phillips’s

substantial rights. See Bieganowski, supra.

C. Lesser-Included Offense Instruction

Phillips next contends that the district court improperly

failed to instruct the jury on a lesser-included offense under

§ 1030(a)(5)(A)(iii), which is a misdemeanor.9 Phillips’s counsel

actually raised this issue at trial, and the judge invited him to

submit relevant authority, but he did not pursue the claim further

or submit a proposed charge, and he failed to object to the jury

8
We note that, in any event, the district court rectified
its error in misstating the scienter requirement as applied to
Phillips’s access. The court instructed the jury that
“knowingly” means “that the act was done voluntarily and
intentionally, not because of mistake or accident.”
9
Section 1030(a)(5)(A)(ii) applies to whoever “intentionally
accesses a protected computer without authorization, and as a
result of such conduct recklessly causes damage . . . .” In
contrast, § 1030(a)(5)(A)(iii) does not contain a scienter
element with respect to causing damage following unauthorized
access, but applies to anyone who “intentionally accesses a
protected computer without authorization, and as the result of
such conduct, causes damage” irrespective of mens rea and of any
minimum damage requirement.
The differing degrees of culpability envisioned by
Congress for the two subsections are reflected in the punishments
Congress allotted to their violation. According to
§ 1030(c)(2)(A), violation of subsection (a)(5)(A)(iii), i.e.,
intentional unauthorized access and subsequent damage however
caused, is a Class A misdemeanor punishable by a fine or
imprisonment not exceeding one year, or both. See 18 U.S.C.
§ 3559(a)(6). Subsection (a)(5)(A)(ii), however, is a Class E
felony, see 18 U.S.C. § 3559(a)(5), punishable by fine,
imprisonment not exceeding five years, or both. § 1030(c)(4)(B).

15
charge. That defense counsel remained aware of the distinction

between the mens rea requirements in the charged offense and the

lower standard of conduct and damage betokened in the misdemeanor

offense is clear from his closing argument; he observed that

Phillips must be shown to have acted “recklessly” rather than with

negligence.

We construe this train of events as a waiver of the

argument Phillips now urges. Waiver is an “affirmative choice by

the defendant to forego any remedy available to him, presumably for

real or perceived benefits.” United States v. Dodson, 288 F.3d

153, 160 (5th Cir. 2002); see also United States v. Olano,

507 U.S. 725, 113 S. Ct. 1770 (1993)(waiver is the intentional

relinquishment of a known right). The known right here was the at

least arguable right to obtain a lesser-included offense

instruction for a misdemeanor. The perceived benefit lay in

counsel’s strategic decision to pursue full acquittal if he could

persuade the jury that Phillips hadn’t recklessly caused damage.

The judicial system can self-correct only if counsel voices an

objection clearly at the proper time in the proceedings. Dropping

hints as to a trial court’s error, and awaiting the trial outcome

to pursue the objection further, is inconsistent with counsel’s

duty of candor and clarity. This objection was waived. See United

States v. Salerno, 108 F.3d 730, 740 (7th Cir. 1997)(defendant’s

“lack of request for such an instruction coupled with his

16
affirmative acceptance of the court’s final jury instructions

demonstrates that he intentionally relinquished his known right”).

D. Restitution Award

Finally, Phillips contends that the district court erred

in its award of restitution for costs incurred by UT in conducting

a computer damage and systems evaluation and contacting individuals

whose biographical information and Social Security numbers were

stolen. Since Phillips raises this issue for the first time on

appeal, we review the award for plain error. United States v.

Garza, 429 F.3d 165, 169 (5th Cir. 2005). There is no error at

all.

A defendant sentenced under provisions of the Mandatory

Restitution to Victims Act (“MRVA”), 18 U.S.C. § 3663A, is

responsible for providing restitution only to victims who were

directly and proximately harmed by the conduct underlying the

offense for which he was convicted. See 18 U.S.C. § 3663A(a)(2);

United States v. Griffin, 324 F.3d 330, 368 (5th Cir. 2003). The

MRVA applies to cases in which an identifiable victim has suffered

“pecuniary loss,” see 18 U.S.C. § 3663A(c)(1)(B), and expressly

permits reimbursement of victims for “expenses incurred during

participation in the investigation or prosecution” of the predicate

offense. See § 3663A(b)(4).

Relying on United States v. Schinnell, 80 F.3d 1064 (5th

Cir. 1996), Phillips asserts that restitution of money spent by UT

17
in contacting the victims of his electronic intrusions is barred by

§ 3663A(b)(1), a provision that precludes an award of

“consequential damages.” Schinnell, 80 F.3d at 1070-71;10 see also

United States v. Onyiego, 286 F.3d 249, 256 (5th Cir.

2002)(district court award of restitution for legal fees victim

incurred in defending collection actions caused by defendant’s

crime barred by § 3663A(b)(1)).

Schinnell’s reasoning is inapplicable to the instant

case. First, Schinnell involved a separate restitutionary

provision, while § 3663A(b)(4), applicable here, explicitly

authorizes restitution of expenses “incurred during participation

in the investigation or prosecution of the offense.” UT was a

victim, and it collaborated with the investigation and incurred

costs to notify other victims of Phillips’s data theft in order to

determine whether they had suffered further damage.

Second, Schinnell involved a violation of § 1343, the

federal wire fraud statute, not § 1030(a)(5)(ii). The CFAA, unlike

§ 1343, precisely defines the nature of the loss resulting from

10
Section 3663A(b)(1) applies to “offense[s] resulting in
damage to or loss or destruction of property” and limits
restitution to either the return of the property, or if return is
impossible, impracticable, or inadequate, to the greater of the
value of the property on the date of the loss or its value at
sentencing. Schinnell involved interpretation of § 3663(b)(1) of
the Victim and Witness Protection Act, 18 U.S.C. § 3663, which is
identical to the MRVA’s § 3663A(b)(1). See Schinnell, 80 F.3d at
1070.

18
unauthorized access of a protected computer that Congress sought to

remedy:

[T]he term “loss” means any reasonable cost to any
victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to
the offense, and any revenue lost, cost incurred, or
other consequential damages incurred because of
interruption of service . . . .

§ 1030(e)(11); see also S. REP. NO. 99-432, at 11, as reprinted in

1986 U.S.C.C.A.N. 2479, 2488-89 (1986). Schinnell is based on a

wholly distinguishable statutory framework.

III. CONCLUSION

For the foregoing reasons, the conviction and sentence

are AFFIRMED.

19