United States Court of Appeals
Fifth Circuit
F I L E D
IN THE UNITED STATES COURT OF APPEALS
FOR THE FIFTH CIRCUIT January 24, 2007
Charles R. Fulbruge III
No. 05-51271 Clerk
UNITED STATES OF AMERICA,
Plaintiff-Appellee,
versus
CHRISTOPHER ANDREW PHILLIPS,
Defendant-Appellant.
Appeal from the United States District Court
for the Western District of Texas
Before JONES, Chief Judge, and SMITH and STEWART, Circuit Judges.
EDITH H. JONES, Chief Judge:
Christopher Andrew Phillips (“Phillips”) appeals his
conviction for intentionally accessing a protected computer without
authorization and recklessly causing damage in excess of $5,000,
pursuant to the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C.
§§ 1030(a)(5)(A)(ii) and (B)(i). Phillips alleges that (1) insuf-
ficient evidence was presented at trial to support his conviction
under § 1030(a)(5)(A)(ii); (2) the district court’s jury charge
constructively amended the indictment; (3) the district court’s
failure to include a lesser-included offense instruction in the
jury charge was error; and (4) the district court’s award of over
$170,000 in restitution under 18 U.S.C. § 3663A was erroneous.
Finding no reversible error, we AFFIRM.
I. BACKGROUND
Phillips entered the University of Texas at Austin (“UT”)
in 2001 and was admitted to the Department of Computer Sciences in
2003. Like all incoming UT students, Phillips signed UT’s
“acceptable use” computer policy, in which he agreed not to perform
port scans using his university computer account.1 Nonetheless,
only a few weeks after matriculating, Phillips began using various
programs designed to scan computer networks and steal encrypted
data and passwords. He succeeded in infiltrating hundreds of
computers, including machines belonging to other UT students,
private businesses, U.S. Government agencies, and the British Armed
Services webserver. In a matter of months, Phillips amassed a
veritable informational goldmine by stealing and cataloguing a wide
variety of personal and proprietary data, such as credit card
numbers, bank account information, student financial aid
statements, birth records, passwords, and Social Security numbers.
The scans, however, were soon discovered by UT’s
Information Security Office (“ISO”), which informed Phillips on
1
Port scanning is a technique used by computer hackers by
which an individual sends requests via a worm or other program to
various networked computer ports in an effort to ascertain
whether particular machines have vulnerabilities that would leave
them susceptible to external intrusion. Often used as an initial
step in launching an attack on another computer or transmitting a
virus, port scanning is a relatively unsophisticated, but highly
effective, reconnaissance method, likened at trial by UT’s
information technology chief as the electronic equivalent of
“rattling doorknobs” to see if easy access can be gained to a
room.
2
three separate occasions that his computer had been detected
portscanning hundreds of thousands of external computers for
vulnerabilities. Despite several instructions to stop, Phillips
continued to scan and infiltrate computers within and without the
UT system, daily adding to his database of stolen information.
At around the time ISO issued its first warning in early
2002, Phillips designed a computer program expressly for the
purpose of hacking into the UT system via a portal known as the
“TXClass Learning Central: A Complete Training Resource for UT
Faculty and Staff.” TXClass was a “secure” server operated by UT
and used by faculty and staff as a resource for enrollment in
professional education courses. Authorized users gained access to
their TXClass accounts by typing their Social Security numbers in
a field on the TXClass website’s log-on page. Phillips exploited
the vulnerability inherent in this log-on protocol by transmitting
a “brute-force attack” program,2 which automatically transmitted to
the website as many as six Social Security numbers per second, at
least some of which would correspond to those of authorized TXClass
users.
Initially, Phillips selected ranges of Social Security
numbers for individuals born in Texas, but he refined the brute-
force attack to include only numbers assigned to the ten most
2
“Brute-force attack” is term of art in computer science
used to describe a program designed to decode encrypted data by
generating a large number of passwords.
3
populous Texas counties. When the program hit a valid Social
Security number and obtained access to TXClass, it automatically
extracted personal information corresponding to that number from
the TXClass database and, in effect, provided Phillips a “back
door” into UT’s main server and unified database. Over a fourteen-
month period, Phillips thus gained access to a mother lode of data
about more than 45,000 current and prospective students, donors,
and alumni.
Phillips’s actions hurt the UT computer system. The
brute-force attack program proved so invasive — increasing the
usual monthly number of unique requests received by TXClass from
approximately 20,000 to as many as 1,200,000 — that it caused the
UT computer system to crash several times in early 2003. Hundreds
of UT web applications became temporarily inaccessible, including
the university’s online library, payroll, accounting, admissions,
and medical records. UT spent over $122,000 to assess the damage
and $60,000 to notify victims that their personal information and
Social Security numbers had been illicitly obtained.
After discovering the incursions, UT contacted the Secret
Service, and the investigation led to Phillips. Phillips admitted
that he designed the brute-force attack program to obtain data
about individuals from the UT system, but he disavowed that he
intended to use or sell the information.
Phillips was indicted and convicted after a jury trial on
one count of computer fraud pursuant to 18 U.S.C. § 1030(a)(5)
4
(A)(ii) and (B)(i), and one count of possession of an
identification document containing stolen Social Security numbers
pursuant to 18 U.S.C. § 1028(a)(6). Phillips timely filed a motion
for judgment of acquittal challenging, unsuccessfully, the
sufficiency of the evidence regarding the loss amount used to
support the computer fraud conviction, and asserting, correctly,
that his conviction under § 1028(a)(6) violated the Ex Post Facto
Clause.3 He was sentenced to five years’ probation, five hundred
hours of community service, and restitution of $170,056. Phillips
appealed.
II. DISCUSSION
A. Sufficiency of the Evidence
Phillips asserts that the Government failed to produce
sufficient evidence that he “intentionally access[ed] a protected
computer without authorization” under § 1030(a)(5)(A)(ii).
Although Phillips timely filed a motion for judgment of
acquittal, see FED. R. CRIM. P. 29, the motion raised only the narrow
issue whether the loss or damage caused by his online exploits
exceeded $5,000.00. See § 1030(a)(5)(B)(i). Both the Government’s
opposition memorandum and the district court’s ruling on the motion
3
Section 1023(a)(6) was amended on April 30, 2003, by adding
the phrase “knowingly possesses an authentication feature of the
United States which is stolen.” Because the last act Phillips
committed that would qualify for punishment under this provision
occurred on March 2, 2003, the district court correctly dismissed
the conviction under this count as violative of the Ex Post Facto
clause, U.S. CONST. art. I, § 9.
5
addressed this one issue. Accordingly, “[w]here, as here, a
defendant asserts specific grounds for a specific element of a
specific count for a Rule 29 motion, he waives all others for that
specific count.” United States v. Herrera, 313 F.3d 882, 884 (5th
Cir. 2002) (en banc), cert. denied, 537 U.S. 1242, 123 S. Ct. 1375
(2003) (emphasis in original). We thus review his newly raised
claim that there was insufficient evidence of the statutorily
required mens rea under § 1030(a)(5)(A)(ii) only for a “manifest
miscarriage of justice.” United States v. Green, 293 F.3d 886, 895
(5th Cir. 2002) (internal quotation marks omitted). Under this
exacting standard of review, a claim of evidentiary insufficiency
will be rejected unless “the record is devoid of evidence pointing
to guilt” or if the evidence is “so tenuous that a conviction is
shocking.” United States v. Avants, 367 F.3d 433, 449 (5th Cir.
2004).
Phillips’s insufficiency argument takes two parts: that
the Government failed to prove (1) he gained access to the TXClass
website without authorization and (2) he did so intentionally.
With regard to his authorization, the CFAA does not
define the term, but it does clearly differentiate between
unauthorized users and those who “exceed[] authorized access.” See
§ 1030(e)(6) (defining “exceeding authorized access” as “access-
[ing] a computer with authorization and . . . us[ing] such access
to obtain or alter information in the computer that the accesser is
not entitled so to obtain or alter . . .”); see also §§ 1030(a)(1),
6
(a)(2), (a)(4). Several subsections of the CFAA apply exclusively
to users who lack access authorization altogether. See, e.g.,
§§ 1030(a)(3), (5)(A)(i), (5)(A)(ii), (5)(A)(iii). In conditioning
the nature of the intrusion in part on the level of authorization
a computer user possesses, Congress distinguished between “in-
siders, who are authorized to access a computer,” and “outside
hackers who break into a computer.” See S. REP. NO. 104-357, at 11
(1996); see also S. REP. NO. 99-432, at 10, as reprinted in 1986
U.S.C.C.A.N. 2479, at 2488 (1986) (stating that §§ 1030(a)(3) and
(a)(5) “will be aimed at ‘outsiders’”).
Courts have therefore typically analyzed the scope of a
user’s authorization to access a protected computer on the basis of
the expected norms of intended use or the nature of the
relationship established between the computer owner and the user.
Applying such an intended-use analysis, in United States v. Morris,
928 F.2d 504 (2d Cir. 1991), a case involving an invasive procedure
that prefigured modern portscanning, the Second Circuit held that
transmission of an internet worm designed “to demonstrate the
inadequacies of current security measures on computer networks by
exploiting . . . security defects” was sufficient to permit a jury
to find unauthorized access within the meaning of § 1030(a)(5)(A).
Morris, 928 F.2d at 505. The Morris court determined that conduct,
like “password guessing” or finding “holes in . . . programs,” that
uses computer systems not “in any way related to their intended
function” amounts to obtaining unauthorized access. Id. at 510;
7
see also Creative Computing v. Getloaded.com LLC, 386 F.3d 930 (9th
Cir. 2004)(internet site administrator’s misappropriation of login
names and passwords to obtain access to competitor’s website
violated CFAA); Theofel v. Farey-Jones, 359 F.3d 1066, 1074
(9th Cir.), cert. denied, 543 U.S. 813, 125 S. Ct. 48 (2004)(use of
an authorized third-party’s password by an outside hacker to gain
access to a mail server fell within “the paradigm of what
[Congress] sought to prohibit [under the Stored Communications
Act]”); EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582
n.10 (1st Cir. 2001)(mentioning in dicta the district court’s
observation of a “default rule” that conduct is unauthorized for
§ 1030 purposes “if it is not in line with reasonable expectations
of the website owner and its users”)(internal quotation marks
omitted).
Phillips’s brute-force attack program was not an intended
use of the UT network within the understanding of any reasonable
computer user and constitutes a method of obtaining unauthorized
access to computerized data that he was not permitted to view or
use. During cross-examination, Phillips admitted that TXClass’s
normal hourly hit volume did not exceed a few hundred requests, but
that his brute-force attack created as many as 40,000. He also
monitored the UT system during the multiple crashes his program
caused, and backed up the numerical ranges of the Social Security
numbers after the crashes so as not to omit any potential matches.
Phillips intentionally and meticulously executed both his intrusion
8
into TXClass and the extraction of a sizable quantity of
confidential personal data. There was no lack of evidence to find
him guilty of intentional unauthorized access.
Phillips makes a subsidiary argument that because the
TXClass website was a public application, he, like any internet
user, was a de facto authorized user. In essence, Phillips
contends that his theft of other people’s data from TXClass merely
exceeded the preexisting generic authorization that he maintained
as a user of the World Wide Web, and he cannot be considered an
unauthorized user under § 1030(a)(5)(A)(ii).
This argument misconstrues the nature of obtaining
“access” to an internet application and the CFAA’s use of the term
“authorization.” While it is true that any internet user can
insert the appropriate URL into a web browser and thereby view the
“TXClass Administrative Training System” log-in web page, a user
cannot gain access to the TXClass application itself without a
valid Social Security number password to which UT has affirmatively
granted authorization.4 Neither Phillips, nor members of the
4
Phillips’s contention that an individual’s ability to view
TXClass’s log-in webpage amounts to a general grant of authorized
access to the public-at-large is unsupported by various judicial
interpretations of what constitutes obtaining access to a
protected computer. See, e.g., State v. Allen, 917 P.2d 848
(Kan. 1996)(under Kansas computer crime statute, until a computer
user proceeds beyond introductory banners and log-in screens by
use of a password, he has not accessed the program); State v.
Riley, 846 P.2d 1365 (Wash. 1993)(en banc)(attempted entry into
computer using randomly generated passwords is not access until a
successful password is found allowing entry); see also Role
Models, Inc. v. Jones, 305 F. Supp. 2d 564 (D. Md. 2004)(mere
9
public, obtain such authorization from UT merely by viewing a
log-in page, or clicking a hypertext link. Instead, courts have
recognized that authorized access typically arises only out of a
contractual or agency relationship.5 While Phillips was authorized
to use his UT email account and engage in other activities defined
by UT’s acceptable computer use policy, he was never authorized to
access TXClass. The method of access he used makes this fact even
more plain. In short, the government produced sufficient evidence
at trial to support Phillips’s conviction under
§ 1030(a)(5)(A)(ii).
B. Constructive Amendment of the Indictment
For the first time on appeal, Phillips alleges as error
that the district court constructively amended his indictment in
receipt of information from a protected computer is not
equivalent to obtaining access under CFAA).
5
See, e.g., Int’l Airport Ctrs. LLC v. Citrin, 440 F.3d 418
(7th Cir. 2006)(authorized access to company computer terminated
when employee violated employment contract); EF Cultural Travel
BV v. Explorica, Inc., 274 F.3d 577 (1st Cir.
2001)(confidentiality agreement defined authorized access to
travel company’s computerized pricing information); United States
v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)(employer assignment
of a confidential password created authorization); Pac. Aerospace
& Elecs., Inc., 295 F. Supp. 2d 1188 (E.D. Wash. 2003)(former
employees’ unauthorized access in violation of confidentiality
and employment agreements merited imposition of preliminary
injunction); Shurgard Storage Ctrs., Inc. v. Safeguard Self-
Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000)(employees
not authorized to obtain proprietary information from former
employer because agency relationship had terminated);
YourNetDating, Inc. v. Mitchell, 88 F. Supp. 2d 870 (N.D. Ill.
2000)(programmer’s hacking of former employer’s dating service
website that redirected users to a pornographic website was
unauthorized access and merited temporary restraining order).
10
its jury instructions. The district court charged the jury based
on the Government’s proposed instruction and a modified version of
the Eleventh Circuit’s Criminal Pattern Jury Instruction 42.3 that
adopts language from §§ 1030(a)(5)(A)(i) and (B)(i). Subsec-
tion (i) punishes an individual who “knowingly causes the trans-
mission of a program . . . to a protected computer.” Phillips was
indicted, however, not for knowingly transmitting a program under
§ 1030(a)(5)(A)(i), but for intentionally accessing a protected
computer under § 1030(a)(5)(A)(ii). As Phillips did not object to
the instruction at trial, we review this disparity between the
indictment and jury charge for plain error. United States v.
Bieganowski, 313 F.3d 264, 287 (5th Cir. 2002)(constructive
amendment claims raised for the first time on appeal reviewed for
plain error).
Phillips asserts that the deviation between the terms of
the charged offense and the language of the jury instruction was
plain and adversely affected his substantial rights in two ways.
First, the jury instruction impermissibly reduced the Government’s
burden of proof by not requiring the jury to find that he
intentionally accessed TXClass without authorization, but instead
only that he transmitted a program without authorization. Second,
Phillips claims that while § 1030(a)(5)(A)(ii) requires the
Government to prove that he “intentionally” accessed a protected
computer without authorization, the instruction required the jury
to find only that Phillips “knowingly” caused the transmission of
11
a program, not that he knowingly did so without authorization. Put
otherwise, Phillips argues that since § 1030(a)(5)(A)(ii)’s
scienter element applies to both the phrase “causes the
transmission” and “without authorization,” the district court erred
in submitting an instruction in which the scienter element applied
only to the act of transmitting a program.
Constructive amendment of an indictment occurs when the
trial court “through its instructions and facts it permits in
evidence, allows proof of an essential element of the crime on an
alternative basis provided by the statute but not charged in the
indictment.” United States v. Slovacek, 867 F.2d 842, 847 (5th
Cir.), cert. denied, 490 U.S. 1094, 109 S. Ct. 2441 (1989)(citing
Stirone v. United States, 361 U.S. 212, 215-19, 80 S. Ct. 270, 272-
74 (1960)). In evaluating whether constructive amendment has
occurred, we consider “whether the jury instruction, taken as a
whole, is a correct statement of the law and whether it clearly
instructs jurors as to the principles of law applicable to the
factual issues confronting them.” United States v. Guidry,
406 F.3d 314, 321 (5th Cir. 2005) (internal quotation marks
omitted).
With respect to Phillips’s first argument, the district
court’s instruction plainly modified an essential element of the
charged offense by supporting the act of accessing a protected
computer under subsection (ii) on the basis of transmitting a
program under subsection (i). See, e.g., United States v. Reyes,
12
102 F.3d 1361 (5th Cir. 1996) (jury instruction permitting
conviction based on proof of conspiracy to possess with the intent
to distribute marijuana constructively amended indictment that
charged not conspiracy, but the substantive offense itself). This
was a classic constructive amendment. Why the Government
overlooked the inconsistency between the statutory provision cited
in the indictment and the provision described in the jury charge is
a mystery.
We nonetheless find no reversible plain error with
respect to the transmission/access discrepancy. Phillips gained
access to TXClass by the act of transmitting the brute-force attack
program. The factual predicates for Phillips’s particular
conviction under the jury charge and the indictment — knowingly
transmitting a program and intentionally accessing a protected
computer — are identical. There is no conceivable basis upon which
the jury could have concluded that Phillips transmitted the program
and obtained information from UT’s database without having also
accessed a protected computer. The instruction on this element of
the charged offense, although incorrect, was immaterial.
Phillips’s second argument is that the indictment charged
him with “intentionally access[ing] a protected computer without
authorization,” while the jury instruction only required that he
“knowingly” transmitted the program.
We agree that the plain language of the statute, tracked
in the indictment, indicates that the actus reus was the
13
intentional unauthorized access of a protected computer. In fact,
the 1986 amendment to § 1030(a)(5) changed the scienter requirement
from “knowingly” to “intentionally” because of Congress’s concern
that the “knowingly” standard “might be inappropriate for cases
involving computer technology.”6 See S. REP. NO. 99-432, at 5, as
reprinted in 1986 U.S.C.C.A.N. 2479, 2483 (1986); Morris, 928 F.2d
at 507.7
The district court instructed the jury that to convict,
it must find that Phillips “knowingly caused the transmission of a
program” and that he “so acted without the authorization” of
appropriate persons or entities. This instruction, as Phillips
contends, does not fully convey that the jury must find that
Phillips intentionally acted without authorization. However, as
discussed above in the context of his sufficiency claim, the
evidence leaves no doubt that Phillips knew he was unauthorized to
transmit an invasive computer program designed to gain access to
the TXClass system and to steal thousands of Social Security
numbers. It beggars belief that, having transmitted such a
6
Discussion of the changes to the scienter elements of
§ 1030 in the Senate report focused on § 1030(a)(2), but the same
alteration of “knowingly” to “intentionally” was made to
§ 1030(a)(5)(A)(ii) and the report explicitly states that “[t]he
‘intentional’ standard [in new subsection § 1030(a)(5)] is the
same as that employed in Section 2(a)(1) and 2(b)(1) of the
bill.” S. REP. NO. 99-432, at 10 (1986), as reprinted in 1986
U.S.C.C.A.N. 2479, 2488 (1986).
7
Compare §§ 1030(a)(5)(A)(i) and (ii), with § 1030(a)(1),
which criminalizes the act of knowingly “exceed[ing] authorized
access,” without a requirement of intentional conduct.
14
program, Phillips did not intend to access a protected computer and
that he access be unauthorized.8 To the extent the jury
instructions were wrong, the errors did not affect Phillips’s
substantial rights. See Bieganowski, supra.
C. Lesser-Included Offense Instruction
Phillips next contends that the district court improperly
failed to instruct the jury on a lesser-included offense under
§ 1030(a)(5)(A)(iii), which is a misdemeanor.9 Phillips’s counsel
actually raised this issue at trial, and the judge invited him to
submit relevant authority, but he did not pursue the claim further
or submit a proposed charge, and he failed to object to the jury
8
We note that, in any event, the district court rectified
its error in misstating the scienter requirement as applied to
Phillips’s access. The court instructed the jury that
“knowingly” means “that the act was done voluntarily and
intentionally, not because of mistake or accident.”
9
Section 1030(a)(5)(A)(ii) applies to whoever “intentionally
accesses a protected computer without authorization, and as a
result of such conduct recklessly causes damage . . . .” In
contrast, § 1030(a)(5)(A)(iii) does not contain a scienter
element with respect to causing damage following unauthorized
access, but applies to anyone who “intentionally accesses a
protected computer without authorization, and as the result of
such conduct, causes damage” irrespective of mens rea and of any
minimum damage requirement.
The differing degrees of culpability envisioned by
Congress for the two subsections are reflected in the punishments
Congress allotted to their violation. According to
§ 1030(c)(2)(A), violation of subsection (a)(5)(A)(iii), i.e.,
intentional unauthorized access and subsequent damage however
caused, is a Class A misdemeanor punishable by a fine or
imprisonment not exceeding one year, or both. See 18 U.S.C.
§ 3559(a)(6). Subsection (a)(5)(A)(ii), however, is a Class E
felony, see 18 U.S.C. § 3559(a)(5), punishable by fine,
imprisonment not exceeding five years, or both. § 1030(c)(4)(B).
15
charge. That defense counsel remained aware of the distinction
between the mens rea requirements in the charged offense and the
lower standard of conduct and damage betokened in the misdemeanor
offense is clear from his closing argument; he observed that
Phillips must be shown to have acted “recklessly” rather than with
negligence.
We construe this train of events as a waiver of the
argument Phillips now urges. Waiver is an “affirmative choice by
the defendant to forego any remedy available to him, presumably for
real or perceived benefits.” United States v. Dodson, 288 F.3d
153, 160 (5th Cir. 2002); see also United States v. Olano,
507 U.S. 725, 113 S. Ct. 1770 (1993)(waiver is the intentional
relinquishment of a known right). The known right here was the at
least arguable right to obtain a lesser-included offense
instruction for a misdemeanor. The perceived benefit lay in
counsel’s strategic decision to pursue full acquittal if he could
persuade the jury that Phillips hadn’t recklessly caused damage.
The judicial system can self-correct only if counsel voices an
objection clearly at the proper time in the proceedings. Dropping
hints as to a trial court’s error, and awaiting the trial outcome
to pursue the objection further, is inconsistent with counsel’s
duty of candor and clarity. This objection was waived. See United
States v. Salerno, 108 F.3d 730, 740 (7th Cir. 1997)(defendant’s
“lack of request for such an instruction coupled with his
16
affirmative acceptance of the court’s final jury instructions
demonstrates that he intentionally relinquished his known right”).
D. Restitution Award
Finally, Phillips contends that the district court erred
in its award of restitution for costs incurred by UT in conducting
a computer damage and systems evaluation and contacting individuals
whose biographical information and Social Security numbers were
stolen. Since Phillips raises this issue for the first time on
appeal, we review the award for plain error. United States v.
Garza, 429 F.3d 165, 169 (5th Cir. 2005). There is no error at
all.
A defendant sentenced under provisions of the Mandatory
Restitution to Victims Act (“MRVA”), 18 U.S.C. § 3663A, is
responsible for providing restitution only to victims who were
directly and proximately harmed by the conduct underlying the
offense for which he was convicted. See 18 U.S.C. § 3663A(a)(2);
United States v. Griffin, 324 F.3d 330, 368 (5th Cir. 2003). The
MRVA applies to cases in which an identifiable victim has suffered
“pecuniary loss,” see 18 U.S.C. § 3663A(c)(1)(B), and expressly
permits reimbursement of victims for “expenses incurred during
participation in the investigation or prosecution” of the predicate
offense. See § 3663A(b)(4).
Relying on United States v. Schinnell, 80 F.3d 1064 (5th
Cir. 1996), Phillips asserts that restitution of money spent by UT
17
in contacting the victims of his electronic intrusions is barred by
§ 3663A(b)(1), a provision that precludes an award of
“consequential damages.” Schinnell, 80 F.3d at 1070-71;10 see also
United States v. Onyiego, 286 F.3d 249, 256 (5th Cir.
2002)(district court award of restitution for legal fees victim
incurred in defending collection actions caused by defendant’s
crime barred by § 3663A(b)(1)).
Schinnell’s reasoning is inapplicable to the instant
case. First, Schinnell involved a separate restitutionary
provision, while § 3663A(b)(4), applicable here, explicitly
authorizes restitution of expenses “incurred during participation
in the investigation or prosecution of the offense.” UT was a
victim, and it collaborated with the investigation and incurred
costs to notify other victims of Phillips’s data theft in order to
determine whether they had suffered further damage.
Second, Schinnell involved a violation of § 1343, the
federal wire fraud statute, not § 1030(a)(5)(ii). The CFAA, unlike
§ 1343, precisely defines the nature of the loss resulting from
10
Section 3663A(b)(1) applies to “offense[s] resulting in
damage to or loss or destruction of property” and limits
restitution to either the return of the property, or if return is
impossible, impracticable, or inadequate, to the greater of the
value of the property on the date of the loss or its value at
sentencing. Schinnell involved interpretation of § 3663(b)(1) of
the Victim and Witness Protection Act, 18 U.S.C. § 3663, which is
identical to the MRVA’s § 3663A(b)(1). See Schinnell, 80 F.3d at
1070.
18
unauthorized access of a protected computer that Congress sought to
remedy:
[T]he term “loss” means any reasonable cost to any
victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data,
program, system, or information to its condition prior to
the offense, and any revenue lost, cost incurred, or
other consequential damages incurred because of
interruption of service . . . .
§ 1030(e)(11); see also S. REP. NO. 99-432, at 11, as reprinted in
1986 U.S.C.C.A.N. 2479, 2488-89 (1986). Schinnell is based on a
wholly distinguishable statutory framework.
III. CONCLUSION
For the foregoing reasons, the conviction and sentence
are AFFIRMED.
19
United States v. Phillips
Court: Court of Appeals for the Fifth Circuit
Date filed: 2007-01-24
Citations: 477 F.3d 215
Copy Citations